Login and password program for linux from scrach, suggestion's welcomed.
Login2:
Code:
#define _XOPEN_SOURCE found so far is what you see above. I was wondering if the way is use 'password' above correct, it work's, but is it correct? This next question does'nt really belong here, but what's the degugger called in linux, i use slackware, i was hoping that if no one here used slackware that there was a debugger that is in most distros that would also be in slackware. Thank's! One more thing, this program isn't done yet so if you see something that doesn't make sense, what can i say, it's just a project. :) |
pssword2:
Code:
#define _XOPEN_SOURCE |
your login program will currently accept input from a pipe and just keeps looping until the correct password is entered so you can basically pipe the system dictionary to it - not good.
scanf is a very bad way to do input as it does no bounds checking and echoes its ouput to the screen. i think you should zero the password array at the start of each iteration of the do loop just to be safe. as soon as you can you need to dump the root privaleges. what does your wait do that sleep doesnt? also theres a library function called wait so perhaps a different name or make it static. thats all i can see off the top of my head, sorry if ive read anything incorrectly i just gave it a quick glance. oh and the most likely installed debugger will be gdb. |
Quote:
Quote:
Quote:
Quote:
Quote:
|
the system dictionary contains a big list of words, so cat system_dict | login_program would try all the words in the system dictionary against the password until it found a match or reached the end. this can be fixed by using a better input method
there is a function getpass in the std c library but according to the man page it is obselete and i cant find its replacement so i guess the way to go is low level terminal io. have a look here: http://www.gnu.org/manual/glibc-2.2....nal-Modes.html i didnt mean the permissions of the executable, i meant the running permissions. i agree it has to be run as root to read /etc/passwd but after that you can drop some privilages - see below. there will always be some vulnerability in your code that someone hasnt found yet. so its better to be running as a non root user when they find it. basically only be root when you need to. the functions to change this are setuid/seteuid/getuid/geteuid and there group equivelents. |
Quote:
Quote:
Quote:
Quote:
|
All times are GMT -5. The time now is 12:57 PM. |