Path: utzoo!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!elroy.jpl.nasa.gov!lll-winken!ames!sgi!vjs@rhyolite.wpd.sgi.com
From: vjs@rhyolite.wpd.sgi.com (Vernon Schryver)
Newsgroups: comp.sys.sgi
Subject: Re: fix for login
Message-ID: <88850@sgi.sgi.com>
Date: 5 Mar 91 03:21:45 GMT
References: <9103042232.AA00908@euler.jsc.nasa.gov>
Sender: guest@sgi.sgi.com
Organization: Silicon Graphics, Inc., Mountain View, CA
Lines: 42

In article <9103042232.AA00908@euler.jsc.nasa.gov>, johnson@EULER.JSC.NASA.GOV (Stan Johnson) writes:
> 
> I AM A LITTLE SURPRISED AT THE ABOVE REACTION FROM SGI TO THEIR CUSTOMERS'
> VALID CONCERNS ABOUT SECURITY HOLES IN /bin/login.  THE ABILITY TO CHANGE
> ANOTHER USER'S PASSWORD BY SIMPLY GETTING ACCESS TO HIS OR HER ACCOUNT
> THROUGH rlogin SEEMS A VALID ENOUGH SECURITY REASON FOR SGI TO DISTRIBUTE
> A FIX.  THERE MAY BE SOME GOOD REASONS NOT TO POST THE EXECUTABLE ON
> sgi.com, BUT THAT DOES NOT DIMINISH THE NEED TO COMMUNICATE THE INFORMATION
> TO CUSTOMERS IN ONE WAY OR ANOTHER.
> 
> AND I DON'T THINK REQUESTING A FIX TO A SERIOUS PROBLEM FOR WHICH THERE
> IS A KNOWN FIX MAKES ANYONE A "SQUEAKY WHEEL", AS WAS SUGGESTED IN AN
> EARLIER MESSAGE FROM SGI.
> 
> -STAN JOHNSON
>  (713) 483-4692
>  NASA / Johnson Space Center
>  email: johnson@euler.jsc.nasa.gov



Please note that the fix for /bin/login does not close any security holes.
The problem is only that people are forced to run the passwd command after
being accepted as bona fide users.  What happens is exactly the same as if
someone had first used rlogin, and then typed `passwd`.  At worst, this
makes the new "password required" feature less useful.  It does not allow
anyone any access to machines that they did not already have.  In fact, it
effectively denies access.

The /bin/login bug is a serious bug, but so are many other bugs that we are
fixing for IRIX 4.0.  If you view the /bin/login fix as serious enough, and
if you are a willing to pay enough for the fix before the next release, I
bet the support organization would be happy send you a tape via overnight
courier.


Please contact Silicon Graphics or the CERT hotline immediately if you know
of a security hole in the IRIX 3.3.2 /bin/login.  Again, this fix to
/bin/login is not a security issue.


Vernon Schryver,   vjs@sgi.com