LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-12-2003, 06:55 AM   #1
rch
Member
 
Registered: Feb 2003
Location: Santa Clara,CA
Distribution: Mandriva
Posts: 909

Rep: Reputation: 48
Autologin Getty


What are the options for a autologin with a getty
I read a excellent article about autologin with mingetty in Linux Journal but I am using fbgetty.(I also know there is a program called autologin).
Now I compiled a simple file(idea i found somewhere) with execlp passing arguments to login the username i want to autologin.The program will be loaded by fbgetty so that the user would autologin.
Is the idea safe from security breaches?
 
Old 04-12-2003, 08:40 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900
If you are *not* the only one who has physical access to the console, then ask yourself for starters if it would hurt you if someone rm -rf your /home/${LOGNAME}, read your mail or did Other Stuff under your ${LOGNAME}.
 
Old 04-13-2003, 11:04 AM   #3
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Quote:
Originally posted by unSpawn
If you are *not* the only one who has physical access to the console, then ask yourself for starters if it would hurt you if someone rm -rf your /home/${LOGNAME}, read your mail or did Other Stuff under your ${LOGNAME}.
i bet not, and whilst you are at this task why not do some port scanning other hosts ...
 
Old 04-13-2003, 10:59 PM   #4
rch
Member
 
Registered: Feb 2003
Location: Santa Clara,CA
Distribution: Mandriva
Posts: 909

Original Poster
Rep: Reputation: 48
thanks a bunch for your replies
the $LOGNAME here is temp
as the name suggests i am using the username for sort of temp works
so i am not too afraid of somebody doing a rm -rf ~
anyone who wants to login to his account may still use su or another vc
 
Old 04-14-2003, 07:25 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900
as the name suggests i am using the username for sort of temp works
Unprivileged account names or it's tasks don't matter:
anyone who wants to login to his account may still use su or another vc
The sting is in the word may.You're looking for justification for having autologin by looking at people's expected behaviour while you should look at the risks. My example was only to show you that autologin should only be done if you're the ONLY one EVER to have access to the box. ...and probably not even then, because you're degrading the security posture of your box.
I should have made this clear from the start, instead of trying to make you think about the risks.

How about me trying to use LD_SO_PRELOAD or link something and trick you into executing something that will give me a backdoor later on? Or exploiting a weakness in one of the running (network facing) daemons? Or maybe bruteforce my way into an account.

Fact is, if you're NOT at the console, what USE is it opening the account anyway, and IF you're at the account then why not do it manually. If you want certain tasks to be done automagically, you could for instance easily set up some cron jobs.

Last edited by unSpawn; 04-14-2003 at 07:26 AM.
 
Old 04-15-2003, 01:04 AM   #6
rch
Member
 
Registered: Feb 2003
Location: Santa Clara,CA
Distribution: Mandriva
Posts: 909

Original Poster
Rep: Reputation: 48
Quote:
Originally posted by unSpawn
as the name suggests i am using the username for sort of temp works
Unprivileged account names or it's tasks don't matter:
anyone who wants to login to his account may still use su or another vc
The sting is in the word may.You're looking for justification for having autologin by looking at people's expected behaviour while you should look at the risks. My example was only to show you that autologin should only be done if you're the ONLY one EVER to have access to the box. ...and probably not even then, because you're degrading the security posture of your box.
I should have made this clear from the start, instead of trying to make you think about the risks.

How about me trying to use LD_SO_PRELOAD or link something and trick you into executing something that will give me a backdoor later on? Or exploiting a weakness in one of the running (network facing) daemons? Or maybe bruteforce my way into an account.

Fact is, if you're NOT at the console, what USE is it opening the account anyway, and IF you're at the account then why not do it manually. If you want certain tasks to be done automagically, you could for instance easily set up some cron jobs.
First about LD_SO_PRELOAD:Well how can anyone set LD_SO_PRELOAD without suid/sgid
Well using execlp has its disadvantages as compared to exec(From man pages execlp(3) execve(3) ld.so(8))
But security is not compromised
I admit there may be weakness in some deamons.
Bruteforce do not seem logical:With MD5 there is less risk of bruteforce crack(of course ,with enough time(?!) anyone can bruteforce in)
But anyway thanks for your excellent reply
And I think I will follow as you say!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help my getty is being a yetti!! Law1213 Slackware 6 06-24-2006 02:07 AM
Getting getty to run. kulmis Debian 2 09-03-2004 01:51 PM
What is getty? swmok Linux - Software 2 07-07-2004 05:54 AM
getty in RedHat 8.0 kprocter Linux - General 1 06-02-2003 10:23 AM
switch x getty consoles? gongli Linux - Software 0 06-01-2003 04:16 PM


All times are GMT -5. The time now is 07:36 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration