AIX 3.1.x and 3.2.x, Linux 0.?


    This a problem  with the way  login parses it  arguments as passed
    by rlogind allows access to  the root account. The problem  is the
    ability of  login to  parse the  command line  option -fUSER as -f
    USER. Now,  whether you  can sneak  -fUSER to  your login  program
    depends  on  your   rlogind.  Rlogind  basically   comes  in   two

    old_style:  rologind  establishes  connection,  allocates  pty and
    calls  login  with  -r  <hostname>.  No way to sneak something to
    login  on  the  command  line  (except  with getty, when it passes
    usernames starting with  a -). The  login program will  the do the
    rlogin protocol  over stin/stuot.

    new_style: rlogin establishes the connection, allocates pty  *and*
    does the  rlogin protocol.  If the  remote user  is authenticated,
    login  is  called  like  this  (with  exec,  so  each token is one
    argument, never more)

        login -p -h <hostname> -f lusername

    when login is not authenticated, login is called like this:

        login -p -h <hostname> lusername

    Now, if -f expects an argument (getops string f:), you can specify
    "-fuser" as  a remote loginname, and remote is called as

        login -p -h <hostname> -flusername

    this is interpreted as

        login -p -h <hostname> -f lusername

    when -f accepts an argument. It provokes a usage error if -f  does
    not accept an argument, it is accepted as an argument if  argument
    parsing  is  done  with  strcmp("-f",  argv[x]). The best solution
    would be to have rlogind (and telnetd if it negotiates a username)
    call a getoptified login like this:

    login <other args, safely constructed by telnetd/rlogind> -- username

    Summarizing:  if  your  rlogind  does  the new protocol *AND* your
    login uses f: in its getopt strings, you're hosed.


    IBM's emergency  patch for the rlogin  <host> -l  -f...  password
    check dissable problem is available as:

    Also the APART#  is IX44254 --  it is available  through "fixdist"

    For Linux user just get the lattest version of login.