Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!mcnc!gatech!rutgers!lll-lcc!pyramid!decwrl!decvax!michaud
From: michaud@decvax.UUCP (Jeff Michaud)
Newsgroups: comp.unix.wizards
Subject: Re: Built-in login command (/bin/login)
Message-ID: <91@decvax.UUCP>
Date: Fri, 12-Jun-87 20:15:43 EDT
Article-I.D.: decvax.91
Posted: Fri Jun 12 20:15:43 1987
Date-Received: Sat, 20-Jun-87 19:36:42 EDT
References: <845@pixar.UUCP>
Lines: 36


	Protecting /bin/login from execute by world (other)
	is a good idea.

	Back at U. of NH, I discovered by accident that if
	I ran /bin/login directly (not "exec" it, which the
	builtin shell command "login" does) and logged into
	an account with no password (they had a captive
	account which ran /bin/who), when /bin/login exited
	the entry in the /etc/utmp kept the new login name.

	Then (I don't know if it is true anymore) mail used
	to use the /etc/utmp entry (given by: who am i)
	instead of by uid (given by: whoami).

	An even worse problem is you can really screw up the
	script utility by:

		% script
		Script Started
		in-script% /bin/login who
			.....
		in-script% ^D

	What ends up happening is that /bin/login makes the
	entry in /etc/utmp, but only the init process clears
	it.  So on your pty you had in script, utmp says
	"who" is logged on.  For some reason, nobody could
	use "script" after that, until the system was rebooted.

			Jeff

			michaud@decvax.dec.com
			...!decvax!michaud

	ps: no .sigjfdkdfjk file yet