Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!bloom-beacon!gatech!rutgers!bellcore!texbell!killer!rpp386!jfh From: jfh@rpp386.Dallas.TX.US (John F. Haugh II) Newsgroups: comp.sources.d Subject: Re: getty/login for callback Summary: Something else that doesn't work ... Message-ID: <15079@rpp386.Dallas.TX.US> Date: 7 Apr 89 18:02:16 GMT References: <180001@mechp10.UUCP> <13853@rpp386.Dallas.TX.US> <797@twwells.uucp> <14U6Pf88Sj1010WE=r6@amdahl.uts.amdahl.com> <28@wells.UUCP> Reply-To: jfh@rpp386.Dallas.TX.US (John F. Haugh II) Distribution: usa Organization: River Parishes Programming, Dallas TX Lines: 35 In article <28@wells.UUCP> edw@wells.UUCP (Ed Wells) writes: > I have something on the 3B at the local high school that does this. >/bin/login is now /bin/login2. A new 'C' program called /bin/login is now >in place to detect the username and determine if the ulimit is to be upped. >It then 'exec's to /bin/login. Of course, this program can be modified >to do anything. Sigh. /bin/login can be called with no arguments or with the name of a user whose account should be upped, but which the person at the keyboard doesn't have the password for. Imagine. User Shmoe gets a 15 oglebyte ulimit, user Joe get the normal, dull 1 oglebyte ulimit. Joe wants to create a 10 oglebyte file, so, he logs out and types 'shmoe' at the getty prompt. getty calls login, which recongnizes 'shmoe' as getting the hugeoid ulimit. Joe types some bogosity at the Password: prompt, and is reprompted for his READ name, which he types in and so on. Poof, so much for only Shmoe getting the hugoid ulimit ... What went wrong? The login I wrote sets your ulimit from the passwd file after the password is validated. This is just about the only spoof proof method around. -- John F. Haugh II +-Quote of the Week:------------------- VoiceNet: (214) 250-3311 Data: -6272 | "Porsche does not recommend InterNet: jfh@rpp386.Dallas.TX.US | exceeding any speed limits" UucpNet : !killer!rpp386!jfh +-- -- Porsche Ad ------------