Re: BoS: /etc/default/login LOCKOUT= creates arbitrary files (f

[ebradley () telesph com (Eugene Bradley)]

I just tested this "LOCKOUT" variable hole in /etc/default/login
on my Solaris 2.5.1 box (with all relevant recommended & security
patches installed) -- no dice.

On  7 Apr 97 at 16:12, Illuminati Primus <vermont () GATE NET> writes:

> Several modern unixes provide configuration options for security and logging
> in a file called /etc/default/login.  Irix, and I assume some others but
> perhaps it's an Irix invention, includes a variable "LOCKOUT" which causes an
> account with a specified number of incorrect login attempts in a row to be
> locked (one successful login resets the count).  This seems like a really good
> idea, especially if you set the variable high enough that no one would ever be
> locked out through mistakes whereas any automated password guessing program
> (which ran over the net by telnetting in) would be stopped.  Since one
> successful login clears the record, people are not able to accumulate the
> requisite number of failures over an extended period of time so as to be
> suddenly surprised one day.  It should be good, if not for the following
> serious security flaw, at least in Irix, checked in both 5.3 and 6.2.

[..deletia...]

> ajr <flaps () dgp utoronto ca>
--
Eugene Bradley
System Administrator, Telesphere Corporation--New York, NY
eugene.bradley () telesph com