On Sat, Sep 22, 2001 at 15:11:17 +0400, Andrey A. Chernov wrote:
> If you mean his report in BUGTRAQ
>
>http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=215381&start=2001-09-19&end=2001-09-25
>
> it is hoax, we don't have such vulnerability in -current as I test.
> Please TEST things before commiting, especially to all branches.
> Please back it out.
Why it is hoax? One reason is simple, look at his examples:
----------------------------------------------------
default: :copyright=/etc/master.passwd:
or
:welcome=/etc/master.passwd:
in user's ~/.login_conf.
---------------------------------------------------
Only "me" class can be defined in ~/.login_conf, anything else ignored
there. And "me" class picked up only when permissions are set to user
mode, at the end of setusercontext(). And "copyright" and "welcome" are
not overwriteable from "me" class in any case.
--
Andrey A. Chernov
http://ache.pp.ru/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
