From 90f0c26840bea293de4a0e67ba0657c4648e6d12 Mon Sep 17 00:00:00 2001 From: mycroft Date: Thu, 8 Feb 1996 06:05:31 +0000 Subject: [PATCH] Make sure that the user name cannot ever be interpreted as an option to login(8). Note: This does *not* fix any security holes. --- libexec/rlogind/rlogind.c | 11 +++++------ libexec/telnetd/sys_term.c | 5 ++++- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/libexec/rlogind/rlogind.c b/libexec/rlogind/rlogind.c index 46b5b5e0fb77..6c2e65789eb5 100644 --- a/libexec/rlogind/rlogind.c +++ b/libexec/rlogind/rlogind.c @@ -39,7 +39,7 @@ static char copyright[] = #ifndef lint /* from: static char sccsid[] = "@(#)rlogind.c 8.1 (Berkeley) 6/4/93"; */ -static char *rcsid = "$Id: rlogind.c,v 1.6 1994/06/05 13:57:52 cgd Exp $"; +static char *rcsid = "$Id: rlogind.c,v 1.7 1996/02/08 06:05:31 mycroft Exp $"; #endif /* not lint */ /* @@ -239,13 +239,12 @@ doit(f, fromp) if (f > 2) /* f should always be 0, but... */ (void) close(f); setup_term(0); - if (authenticated) { - + if (authenticated) execl(_PATH_LOGIN, "login", "-p", - "-h", hostname, "-f", lusername, (char *)NULL); - } else + "-h", hostname, "-f", "--", lusername, (char *)0); + else execl(_PATH_LOGIN, "login", "-p", - "-h", hostname, lusername, (char *)NULL); + "-h", hostname, "--", lusername, (char *)0); fatal(STDERR_FILENO, _PATH_LOGIN, 1); /*NOTREACHED*/ } diff --git a/libexec/telnetd/sys_term.c b/libexec/telnetd/sys_term.c index 21b0d30ad1dd..4912cdf1db7b 100644 --- a/libexec/telnetd/sys_term.c +++ b/libexec/telnetd/sys_term.c @@ -33,7 +33,7 @@ #ifndef lint /* from: static char sccsid[] = "@(#)sys_term.c 8.1 (Berkeley) 6/4/93"; */ -static char *rcsid = "$Id: sys_term.c,v 1.4 1994/12/23 14:29:46 cgd Exp $"; +static char *rcsid = "$Id: sys_term.c,v 1.5 1996/02/08 06:10:52 mycroft Exp $"; #endif /* not lint */ #include "telnetd.h" @@ -1590,6 +1590,7 @@ start_login(host, autologin, name) if (auth_level >= 0 && autologin == AUTH_VALID) { # if !defined(NO_LOGIN_F) argv = addarg(argv, "-f"); + argv = addarg(argv, "--"); argv = addarg(argv, name); # else # if defined(LOGIN_R) @@ -1662,12 +1663,14 @@ start_login(host, autologin, name) pty = xpty; } # else + argv = addarg(argv, "--"); argv = addarg(argv, name); # endif # endif } else #endif if (getenv("USER")) { + argv = addarg(argv, "--"); argv = addarg(argv, getenv("USER")); #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P) {