diff options
| author | guido <guido@FreeBSD.org> | 1994-08-15 19:44:50 +0000 |
|---|---|---|
| committer | guido <guido@FreeBSD.org> | 1994-08-15 19:44:50 +0000 |
| commit | e55e130de4c950f2bbbd9c71bcf4d0fcd66b4463 (patch) | |
| tree | 807ea7f4a11bca9427bb311fb2d40d046bdf134c /libexec | |
| parent | 3929e12fe325472644c863ca1a1c334a68472ec0 (diff) | |
| download | FreeBSD-src-e55e130de4c950f2bbbd9c71bcf4d0fcd66b4463.zip FreeBSD-src-e55e130de4c950f2bbbd9c71bcf4d0fcd66b4463.tar.gz | |
Plug security hole that was already fixed in 1.1. It prevents
user from specifying their hostname when rlogin()-ing in
(using rlogin -f-h<host>)
Reviewed by:
Submitted by:
Diffstat (limited to 'libexec')
| -rw-r--r-- | libexec/rlogind/rlogind.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/libexec/rlogind/rlogind.c b/libexec/rlogind/rlogind.c index 6f5f5e1..5792798 100644 --- a/libexec/rlogind/rlogind.c +++ b/libexec/rlogind/rlogind.c @@ -293,6 +293,11 @@ doit(f, fromp) if (f > 2) /* f should always be 0, but... */ (void) close(f); setup_term(0); + if (strchr(lusername, '-')) { + syslog(LOG_ERR, "tried to pass user \"%s\" to login", + lusername); + fatal(STDERR_FILENO, "invalid user", 0); + } if (authenticated) { #ifdef KERBEROS if (use_kerberos && (pwd->pw_uid == 0)) |
