Re: Login not reading /etc/login.conf.db

To: christos%zoulas.com@localhost (Christos Zoulas), tech-userlevel%netbsd.org@localhost, darcy%NetBSD.org@localhost
Subject: Re: Login not reading /etc/login.conf.db
From: "D'Arcy J.M. Cain" <darcy%NetBSD.org@localhost>
Date: Thu, 26 Jun 2014 05:38:10 -0400

On Wed, 25 Jun 2014 13:15:04 -0400
christos%zoulas.com@localhost (Christos Zoulas) wrote:
> On Jun 25, 12:52pm, darcy%NetBSD.org@localhost ("D'Arcy J.M. Cain") wrote:
> -- Subject: Re: Login not reading /etc/login.conf.db
> 
> | Not sure if that would work for my situation.  In any case, that's
> not | the real question.  The problem is that the login.conf.db file
> is | ignored unless /etc/login.conf exists.  It can even be empty.
> Why | can't it simply pick up the db file?
> 
> Because it checked before then, and the db pathname if formed later.
> 
> | Where is this actually checked by the way?  I couldn't find it.
> 
> http://nxr.netbsd.org/xref/src/lib/libutil/login_cap.c#80

OK, I read this and see a possible security flaw.  We check security on
the ASCII file but if the db file exists we use it without checking.
It seems to me that we should be checking security on the actual file
that we will be using.  Not sure how to fix it.  I thought of a number
of possibilities but they all wind up duplicating code.

-- 
D'Arcy J.M. Cain <darcy%NetBSD.org@localhost>
http://www.NetBSD.org/ IM:darcy%Vex.Net@localhost

Follow-Ups:
- Re: Login not reading /etc/login.conf.db
  - From: Christos Zoulas

References:
- Re: Login not reading /etc/login.conf.db
  - From: D'Arcy J.M. Cain
- Re: Login not reading /etc/login.conf.db
  - From: Christos Zoulas

Prev by Date: RE: const time authentication in bozohttpd
Next by Date: Re: Login not reading /etc/login.conf.db
Previous by Thread: Re: Login not reading /etc/login.conf.db
Next by Thread: Re: Login not reading /etc/login.conf.db
Indexes:

Home | Main Index | Thread Index | Old Index