tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Login not reading /etc/login.conf.db



In article <20140625050140.45cde6b1%NetBSD.org@localhost>,
D'Arcy J.M. Cain <darcy%NetBSD.org@localhost> wrote:
>Perhaps the behavior is correct but I can't see why.  I have my
>login.conf checked into my local SVN repo.  I tried to symlink it
>into /etc but that doesn't seem to work, probably for good reason.  So
>I tried compiling it from my repo with cap_mkdb outputting to /etc.
>
># cap_mkdb -f /etc/login.conf /...my_repo/login.conf
>
>This creates /etc/login.conf.db but when I log in I get basic
>defaults.  I then did "touch /etc/login.conf" and logged in again.
>This time I got the correct settings.  It seems that /etc/login.conf
>needs to exist before it will read /etc/login.conf.db even if it is
>empty.  Does this seem like correct behavior or should I open a PR?

Well, we could reconsider what secure_path(3) means. Right now it
only checks that the file referenced:
        is a plain file
        it is owned by root
        it is not writable by group or others

We could consider instead:
        - each component of the referenced path is a directory
          owned by root and not writable by group and others
        - only the last component of the path can be a symbolic link
          and if it is, the realpath() of that is secure.

christos



Home | Main Index | Thread Index | Old Index