tags 314956 pending thanks On Sun, Jun 19, 2005 at 09:53:31AM -0700, dean gaudet wrote: > openssh 4.x now tries to append to /var/log/btmp (on bad passwords for > example), but it's excessively anal about the permissions on that file. it > doesn't permit group or other to have any of read/write/execute. > > the default debian setup is this: > > -rw-rw-r-- 1 root utmp 3840 Jun 18 14:40 /var/log/btmp > > and there are legit reasons for group utmp writability... such as: > > -rwxr-sr-x 1 root utmp 306616 Nov 14 2004 /usr/bin/screen > > i really don't know what to recommend as the right fix for this... you > could disable USE_BTMP entirely, which was the pre-4.0 behaviour anyhow. > or modify it to permit the debian perms...
I could persuade myself to cope with the latter option if it were just group utmp readability/writability, but the world-readability is completely contrary to the comment in openssh/loginrec.c: * The most common login failure is to give password instead of username. * So the _PATH_BTMP file checked for the correct permission, so that * only root can read it. I've disabled USE_BTMP in CVS. Thanks, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]