COMMAND
login(1)
SYSTEMS AFFECTED
AIX 3.1.x and 3.2.x, Linux 0.?
PROBLEM
This a problem with the way login parses it arguments as passed
by rlogind allows access to the root account. The problem is the
ability of login to parse the command line option -fUSER as -f
USER. Now, whether you can sneak -fUSER to your login program
depends on your rlogind. Rlogind basically comes in two
incarnations:
old_style: rologind establishes connection, allocates pty and
calls login with -r <hostname>. No way to sneak something to
login on the command line (except with getty, when it passes
usernames starting with a -). The login program will the do the
rlogin protocol over stin/stuot.
new_style: rlogin establishes the connection, allocates pty *and*
does the rlogin protocol. If the remote user is authenticated,
login is called like this (with exec, so each token is one
argument, never more)
login -p -h <hostname> -f lusername
when login is not authenticated, login is called like this:
login -p -h <hostname> lusername
Now, if -f expects an argument (getops string f:), you can specify
"-fuser" as a remote loginname, and remote is called as
login -p -h <hostname> -flusername
this is interpreted as
login -p -h <hostname> -f lusername
when -f accepts an argument. It provokes a usage error if -f does
not accept an argument, it is accepted as an argument if argument
parsing is done with strcmp("-f", argv[x]). The best solution
would be to have rlogind (and telnetd if it negotiates a username)
call a getoptified login like this:
login <other args, safely constructed by telnetd/rlogind> -- username
Summarizing: if your rlogind does the new protocol *AND* your
login uses f: in its getopt strings, you're hosed.
SOLUTION
IBM's emergency patch for the rlogin <host> -l -f... password
check dissable problem is available as:
ftp://software.watson.ibm.com/pub/rlogin/rlogin.tar.Z
Also the APART# is IX44254 -- it is available through "fixdist"
via aix.boulder.ibm.com
For Linux user just get the lattest version of login.