Make sure that the user name cannot ever be interpreted as an option to

login(8). Note: This does *not* fix any security holes.
1996-02-08 06:05:31 +00:00 · 1996-02-08 06:05:31 +00:00 · 90f0c26840
commit 90f0c26840
parent 718ac5d246
2 changed files with 9 additions and 7 deletions
--- a/libexec/rlogind/rlogind.c
+++ b/libexec/rlogind/rlogind.c
@ -39,7 +39,7 @@ static char copyright[] =

 #ifndef lint
 /* from: static char sccsid[] = "@(#)rlogind.c	8.1 (Berkeley) 6/4/93"; */
-static char *rcsid = "$Id: rlogind.c,v 1.6 1994/06/05 13:57:52 cgd Exp $";
+static char *rcsid = "$Id: rlogind.c,v 1.7 1996/02/08 06:05:31 mycroft Exp $";
 #endif /* not lint */

 /*
@ -239,13 +239,12 @@ doit(f, fromp)
 		if (f > 2)	/* f should always be 0, but... */
 			(void) close(f);
 		setup_term(0);
-		if (authenticated) {
-
+		if (authenticated)
 			execl(_PATH_LOGIN, "login", "-p",
-			    "-h", hostname, "-f", lusername, (char *)NULL);
-		} else
+			    "-h", hostname, "-f", "--", lusername, (char *)0);
+		else
 			execl(_PATH_LOGIN, "login", "-p",
-			    "-h", hostname, lusername, (char *)NULL);
+			    "-h", hostname, "--", lusername, (char *)0);
 		fatal(STDERR_FILENO, _PATH_LOGIN, 1);
 		/*NOTREACHED*/
 	}
--- a/libexec/telnetd/sys_term.c
+++ b/libexec/telnetd/sys_term.c
@ -33,7 +33,7 @@

 #ifndef lint
 /* from: static char sccsid[] = "@(#)sys_term.c	8.1 (Berkeley) 6/4/93"; */
-static char *rcsid = "$Id: sys_term.c,v 1.4 1994/12/23 14:29:46 cgd Exp $";
+static char *rcsid = "$Id: sys_term.c,v 1.5 1996/02/08 06:10:52 mycroft Exp $";
 #endif /* not lint */

 #include "telnetd.h"
@ -1590,6 +1590,7 @@ start_login(host, autologin, name)
 	if (auth_level >= 0 && autologin == AUTH_VALID) {
 # if	!defined(NO_LOGIN_F)
 		argv = addarg(argv, "-f");
+		argv = addarg(argv, "--");
 		argv = addarg(argv, name);
 # else
 #  if defined(LOGIN_R)
@ -1662,12 +1663,14 @@ start_login(host, autologin, name)
 			pty = xpty;
 		}
 #  else
+		argv = addarg(argv, "--");
 		argv = addarg(argv, name);
 #  endif
 # endif
 	} else
 #endif
 	if (getenv("USER")) {
+		argv = addarg(argv, "--");
 		argv = addarg(argv, getenv("USER"));
 #if	defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
 		{