reopen 305600 thanks Hello,
I'm not completely sure about this one and thus woudn't like to see it archived too fast. First, let me summarize how a normal user could use this security hole (if any). - Write a script which looks like login, ask for the password once, say the pass is wrong (save it) and then exec the real login program. - Login, run the script, and leave the program as a trap for the next user to sit at this machine. - Next user will type in login/pass, be surprised (and certainly think that he did a typo), retry to log in, successfully this time. There is several ways for the trapped user to see that he was just trapped. For example, login won't tell him that he just failed a login attempt. Or, login's display is not the same just after a failed attempt than at the begining. But the point is that the user got trapped. So, I reopen this bug just to leave the discussion open and see what happens. In my opinion, this is a unfixable bug. Whatever we do in login to prevent it could be done by an attacker, too. But I may well be wrong. So, if you know a way to fix it, I'd be pleased to see it. patch welcome :) Thanks, Mt.
signature.asc
Description: Digital signature
