tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Login not reading /etc/login.conf.db



On Wed, 25 Jun 2014 15:20:18 +0000 (UTC)
christos%astron.com@localhost (Christos Zoulas) wrote:
> In article <20140625050140.45cde6b1%NetBSD.org@localhost>,
> D'Arcy J.M. Cain <darcy%NetBSD.org@localhost> wrote:
> ># cap_mkdb -f /etc/login.conf /...my_repo/login.conf
> >
> >This creates /etc/login.conf.db but when I log in I get basic
> >defaults.  I then did "touch /etc/login.conf" and logged in again.
> >This time I got the correct settings.  It seems that /etc/login.conf
> >needs to exist before it will read /etc/login.conf.db even if it is
> >empty.  Does this seem like correct behavior or should I open a PR?
> 
> Well, we could reconsider what secure_path(3) means. Right now it
> only checks that the file referenced:
>       is a plain file
>       it is owned by root
>       it is not writable by group or others

That's why it rejects my symlink.

> We could consider instead:
>       - each component of the referenced path is a directory
>         owned by root and not writable by group and others
>       - only the last component of the path can be a symbolic link
>         and if it is, the realpath() of that is secure.

Not sure if that would work for my situation.  In any case, that's not
the real question.  The problem is that the login.conf.db file is
ignored unless /etc/login.conf exists.  It can even be empty.  Why
can't it simply pick up the db file?

Where is this actually checked by the way?  I couldn't find it.

-- 
D'Arcy J.M. Cain <darcy%NetBSD.org@localhost>
http://www.NetBSD.org/ IM:darcy%Vex.Net@localhost


Home | Main Index | Thread Index | Old Index