tags 314956 pending
thanks
On Sun, Jun 19, 2005 at 09:53:31AM -0700, dean gaudet wrote:
openssh 4.x now tries to append to /var/log/btmp (on bad passwords for
example), but it's excessively anal about the permissions on that file. it
doesn't permit group or other to have any of read/write/execute.
the default debian setup is this:
-rw-rw-r-- 1 root utmp 3840 Jun 18 14:40 /var/log/btmp
and there are legit reasons for group utmp writability... such as:
-rwxr-sr-x 1 root utmp 306616 Nov 14 2004 /usr/bin/screen
i really don't know what to recommend as the right fix for this... you
could disable USE_BTMP entirely, which was the pre-4.0 behaviour anyhow.
or modify it to permit the debian perms...
I could persuade myself to cope with the latter option if it were just
group utmp readability/writability, but the world-readability is
completely contrary to the comment in openssh/loginrec.c:
* The most common login failure is to give password instead of username.
* So the _PATH_BTMP file checked for the correct permission, so that
* only root can read it.
I've disabled USE_BTMP in CVS.
Thanks,
--
Colin Watson [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
