> > Please explain me how, on a non compromised system, users can replace > > the login program with something else. > > Wasn't that only you in > <[EMAIL PROTECTED]> who claims this? I'm > speaking of a simple childish script kiddy script that you start as a > normal local user *without* root access. I thought you have > misunderstood something because you might have a system in mind with > users you trust. I'm speaking of systems with users you don't trust.
Well, *that* I have got the point. And, well, I don't trust users on my system. But how do you expect that the malicious unprivileged user can fake *other* users by having them use the fake login program. That is my point. The only way I see for doing this is by replacing the real login program by the faked one. OK, as a normal user, I can start a fake login program and have it mimic the bahaviour of /bin/login. But, how could I really have other users run it and believe this is the normal login program? Sending them an email which says "Please run that login program you'll find in my home"? I'm really missing something in your reasoning, here.... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

