Re: [hackers] [ubase][PATCH] login: obfuscate non-existent users

From: Jules Maselbas <jules.maselbas_AT_grenoble-inp.org>
Date: Mon, 3 Dec 2018 15:50:19 +0100 (CET)

> ---
> login.c | 15 +++++++++------
> 1 file changed, 9 insertions(+), 6 deletions(-)
>
> diff --git a/login.c b/login.c
> index 25a59e4..9e1b08f 100644
> --- a/login.c
> +++ b/login.c
> _AT_@ -76,6 +76,7 @@ main(int argc, char *argv[])
> uid_t uid;
> gid_t gid;
> int pflag = 0;
> + int fakelogin = 0;
>
> ARGBEGIN {
> case 'p':
> _AT_@ -97,22 +98,24 @@ main(int argc, char *argv[])
> if (!pw) {
> if (errno)
> eprintf("getpwnam %s:", user);
> - else
> - eprintf("who are you?\n");
> + else {
> + /* eprintf("who are you?\n"); fake login instead of showing error */
> + fakelogin = 1;
> + }
> }
>
> - uid = pw->pw_uid;
> - gid = pw->pw_gid;
> -
> /* Flush pending input */
> ioctl(0, TCFLSH, (void *)0);
>
> pass = getpass("Password: ");
> if (!pass)
> eprintf("getpass:");
> - if (pw_check(pw, pass) <= 0)
> + if (fakelogin || pw_check(pw, pass) <= 0)
If you want to fake a real user why don't you check the password as well ?
For instance:
if (pw_check(pw, pass) <= 0 || fakelogin)

my 2 cents

> exit(1);
>
> + uid = pw->pw_uid;
> + gid = pw->pw_gid;
> +
> tty = ttyname(0);
> if (!tty)
> eprintf("ttyname:");
> --
> 2.14.5
Received on Mon Dec 03 2018 - 15:50:19 CET