LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Autologin Getty (http://www.linuxquestions.org/questions/linux-security-4/autologin-getty-54687/)

rch 04-12-2003 06:55 AM

Autologin Getty
 
What are the options for a autologin with a getty
I read a excellent article about autologin with mingetty in Linux Journal but I am using fbgetty.(I also know there is a program called autologin).
Now I compiled a simple file(idea i found somewhere) with execlp passing arguments to login the username i want to autologin.The program will be loaded by fbgetty so that the user would autologin.
Is the idea safe from security breaches?

unSpawn 04-12-2003 08:40 AM

If you are *not* the only one who has physical access to the console, then ask yourself for starters if it would hurt you if someone rm -rf your /home/${LOGNAME}, read your mail or did Other Stuff under your ${LOGNAME}.

markus1982 04-13-2003 11:04 AM

Quote:

Originally posted by unSpawn
If you are *not* the only one who has physical access to the console, then ask yourself for starters if it would hurt you if someone rm -rf your /home/${LOGNAME}, read your mail or did Other Stuff under your ${LOGNAME}.
i bet not, and whilst you are at this task why not do some port scanning other hosts ...

rch 04-13-2003 10:59 PM

thanks a bunch for your replies
the $LOGNAME here is temp
as the name suggests i am using the username for sort of temp works
so i am not too afraid of somebody doing a rm -rf ~
anyone who wants to login to his account may still use su or another vc

unSpawn 04-14-2003 07:25 AM

as the name suggests i am using the username for sort of temp works
Unprivileged account names or it's tasks don't matter:
anyone who wants to login to his account may still use su or another vc
The sting is in the word may.You're looking for justification for having autologin by looking at people's expected behaviour while you should look at the risks. My example was only to show you that autologin should only be done if you're the ONLY one EVER to have access to the box. ...and probably not even then, because you're degrading the security posture of your box.
I should have made this clear from the start, instead of trying to make you think about the risks.

How about me trying to use LD_SO_PRELOAD or link something and trick you into executing something that will give me a backdoor later on? Or exploiting a weakness in one of the running (network facing) daemons? Or maybe bruteforce my way into an account.

Fact is, if you're NOT at the console, what USE is it opening the account anyway, and IF you're at the account then why not do it manually. If you want certain tasks to be done automagically, you could for instance easily set up some cron jobs.

rch 04-15-2003 01:04 AM

Quote:

Originally posted by unSpawn
as the name suggests i am using the username for sort of temp works
Unprivileged account names or it's tasks don't matter:
anyone who wants to login to his account may still use su or another vc
The sting is in the word may.You're looking for justification for having autologin by looking at people's expected behaviour while you should look at the risks. My example was only to show you that autologin should only be done if you're the ONLY one EVER to have access to the box. ...and probably not even then, because you're degrading the security posture of your box.
I should have made this clear from the start, instead of trying to make you think about the risks.

How about me trying to use LD_SO_PRELOAD or link something and trick you into executing something that will give me a backdoor later on? Or exploiting a weakness in one of the running (network facing) daemons? Or maybe bruteforce my way into an account.

Fact is, if you're NOT at the console, what USE is it opening the account anyway, and IF you're at the account then why not do it manually. If you want certain tasks to be done automagically, you could for instance easily set up some cron jobs.

First about LD_SO_PRELOAD:Well how can anyone set LD_SO_PRELOAD without suid/sgid
Well using execlp has its disadvantages as compared to exec(From man pages execlp(3) execve(3) ld.so(8))
But security is not compromised
I admit there may be weakness in some deamons.
Bruteforce do not seem logical:With MD5 there is less risk of bruteforce crack(of course ,with enough time(?!) anyone can bruteforce in)
But anyway thanks for your excellent reply
And I think I will follow as you say!


All times are GMT -5. The time now is 02:42 PM.