From d37ea4370286929657fe427b83c1acb377f547d1 Mon Sep 17 00:00:00 2001 From: marcel Date: Fri, 31 May 2013 17:30:12 +0000 Subject: [PATCH] Fix "automatic" login, broken by revision 69825 (12 years, 5 months ago). The "automatic" login feature is described as follows: The USER environment variable holds the name of the person telnetting in. This is the username of the person on the client machine. The traditional behaviour is to execute login(1) with this username first, meaning that login(1) will prompt for the password only. If login fails, login(1) will retry, but now prompt for the username before prompting for the password. This feature got broken by how the environment got scrubbed. Before the change in r69825 we removed variables that we deemed dangerous. Starting with r69825 we only keep those variable we know to be safe. The USER environment variable fell through the cracks. It suddenly got scrubbed (i.e. removed from the environment) while still being checked for. It also got explicitly removed from the environment to handle the failed login case. The fix is to obtain the value of the USER environment variable before we scrub the environment and used the "cached" in subsequent checks. This guarantees that the environment does not contain the USER variable in the end, while still being able to implement "automatic" login. Obtained from: Juniper Networks, Inc. git-svn-id: http://svn0.us-east.freebsd.org/base/head/contrib/telnet@251188 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- telnetd/sys_term.c | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/telnetd/sys_term.c b/telnetd/sys_term.c index a7b0075..6d06b28 100644 --- a/telnetd/sys_term.c +++ b/telnetd/sys_term.c @@ -1,4 +1,4 @@ - /* +/* * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. * @@ -1026,6 +1026,10 @@ void start_login(char *host undef1, int autologin undef1, char *name undef1) { char **argv; + char *user; + + user = getenv("USER"); + user = (user != NULL) ? strdup(user) : NULL; scrub_env(); @@ -1160,9 +1164,9 @@ start_login(char *host undef1, int autologin undef1, char *name undef1) # endif } else #endif - if (getenv("USER")) { + if (user != NULL) { argv = addarg(argv, "--"); - argv = addarg(argv, getenv("USER")); + argv = addarg(argv, user); #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P) { char **cpp; @@ -1170,17 +1174,6 @@ start_login(char *host undef1, int autologin undef1, char *name undef1) argv = addarg(argv, *cpp); } #endif - /* - * Assume that login will set the USER variable - * correctly. For SysV systems, this means that - * USER will no longer be set, just LOGNAME by - * login. (The problem is that if the auto-login - * fails, and the user then specifies a different - * account name, he can get logged in with both - * LOGNAME and USER in his environment, but the - * USER value will be wrong. - */ - unsetenv("USER"); } #ifdef AUTHENTICATION #if defined(NO_LOGIN_F) && defined(LOGIN_R) @@ -1190,6 +1183,9 @@ start_login(char *host undef1, int autologin undef1, char *name undef1) #endif /* AUTHENTICATION */ closelog(); + if (user != NULL) + free(user); + if (altlogin == NULL) { altlogin = _PATH_LOGIN; }