Author Topic: Login program (daemon? not sure)  (Read 812 times)

TheQuirk

  • VIP
  • Member
  • ***
  • Posts: 2,154
  • Kudos: 315
Login program (daemon? not sure)
« on: 18 January 2003, 02:30 »
If /etc/shadow can only be viewed by root, doesn't "login" have to run as root (for a period of time, anyway?) aswell? Isn't this a bit unsafe? Am I right about the fact that it runs as root?

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Login program (daemon? not sure)
« Reply #1 on: 18 January 2003, 02:57 »
"init" spawns "getty" which in turn spawns "login" which in turn spawns the user's shell. The init/getty/login indeed run as root in order to perform the password authentication. The shell itself obviously runs under the privelages of the user who has logged in.

It's a lot more secure than letting all users have access to the encrypted password file but there really isn't any other way I can think of that would be better. If you can, then it surely would get implemented if you brought it up. Most Linux/UNIX systems work this way.

[ January 17, 2003: Message edited by: void main ]

Someone please remove this account. Thanks...

TheQuirk

  • VIP
  • Member
  • ***
  • Posts: 2,154
  • Kudos: 315
Login program (daemon? not sure)
« Reply #2 on: 18 January 2003, 03:11 »
Couldn't you run it as "nobody"?

choasforages

  • VIP
  • Member
  • ***
  • Posts: 1,729
  • Kudos: 7
    • http://it died
Login program (daemon? not sure)
« Reply #3 on: 18 January 2003, 04:18 »
if the tty's and some other thnigs were owned by nobody. maybe hurd has something to correct this, or SElinux, with its mandatory access lists
x86: a hack on a hack of a hackway
alpha, hewlett packed it A-way
ppc: the fruity way
mips: the graphical way
sparc: the sunny way
4:20.....forget the DMCA for a while!!!

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Login program (daemon? not sure)
« Reply #4 on: 18 January 2003, 04:26 »
You could not run it as nobody. It doesn't get run until you type in your id and passwd. If login determines that your id/passwd is valid it spawns a shell with your user privelages and then exits. It has to run as root because no other user has the authority, for one to read the /etc/shadow, but more importantly invoke a user shell under the privelages of any other user. Even NT/2k etc work similarly. I don't understand the concern.

[ January 17, 2003: Message edited by: void main ]

Someone please remove this account. Thanks...

choasforages

  • VIP
  • Member
  • ***
  • Posts: 1,729
  • Kudos: 7
    • http://it died
Login program (daemon? not sure)
« Reply #5 on: 18 January 2003, 04:35 »
thats almost what i was trying to say, that to set it to somethign else, you would have to make it totaly insecure to do it that way
x86: a hack on a hack of a hackway
alpha, hewlett packed it A-way
ppc: the fruity way
mips: the graphical way
sparc: the sunny way
4:20.....forget the DMCA for a while!!!

TheQuirk

  • VIP
  • Member
  • ***
  • Posts: 2,154
  • Kudos: 315
Login program (daemon? not sure)
« Reply #6 on: 18 January 2003, 05:43 »
I don't have a concern. Just thinking.

BTW, when I meant "running it as nobody", I meant  allowing "nobody" have access to /etc/shadow... Of course, then other things that use "nobody" would have access aswell, so I guess it's a bad idea.

[ January 18, 2003: Message edited by: TheQuirk ]