From 42408492610c827c249bcb461e1a9b50ad4c6aa6 Mon Sep 17 00:00:00 2001 From: David Schultz Date: Mon, 17 Nov 2003 00:08:28 +0000 Subject: Document nologin(8) as being insecure in conjunction with a dynamic root and suggest alternatives. --- sbin/nologin/nologin.8 | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'sbin/nologin') diff --git a/sbin/nologin/nologin.8 b/sbin/nologin/nologin.8 index 7f8f9fff2877..0c452ff33535 100644 --- a/sbin/nologin/nologin.8 +++ b/sbin/nologin/nologin.8 @@ -59,3 +59,18 @@ The .Nm utility appeared in .Bx 4.4 . +.Sh BUGS +Login mechanisms that allow users to specify the initial environment, +such as +.Xr login 1 +and +.Xr sshd 8 , +can be used to bypass +.Nm . +To avoid this possibility, you must use a different lockout mechanism +such as +.Xr login.conf 5 +or compile a statically-linked +.Xr sh 1 +as described in +.Xr make.conf 5 . -- cgit v1.2.3