Date: Thu, 7 Oct 1999 19:56:46 +0100 From: David Malone <dwmalone@MATHS.TCD.IE> Subject: Problems with redhat 6 Xsession and pam.d/rlogin. To: BUGTRAQ@SECURITYFOCUS.COM I've found two problems which seem to be present in RedHat 6.0 and RedHat 6.1. They're not earthshatteringly bad, but... 1) Xsession on RedHat will start kde, gnome or anotherlevel rather than running a user's .xsession file, if you choose one of these from kdm. This is bad if you have account which have a special shell and xsession which are supposed to only allow one use of the account. Maybe it would be sensible to check a user has a shell listed in /etc/shells before starting a kde, gnome or anoterlevel session for them. 2) In pam.d/rlogin allows you to log in, even if /etc/nologin exists 'cos the line: auth sufficient /lib/security/pam_rhosts_auth.so is futher up the file than: auth required /lib/security/pam_nologin.so Easy to fix. David.