"passwd -F" vulnerability?

Mike Raffety (mike_raffety@il.us.swissbank.com)
Tue, 10 May 94 11:34:32 CDT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Everett F Batey WA6CRE: "Re: new iss stuff"
Previous message: Dan: "new iss stuff"
Next in thread: Pat Myrto: "Re: "passwd -F" vulnerability?"

On some Unix systems (e.g., SunOS 4.x), passwd has a "-F" flag allowing
you to specify the file to use (instead of /etc/passwd).  It appears
that the passwd program pays no attention to permissions on that file;
it runs setuid to root (of course), and accesses the file without doing
any permission checking.

Most files aren't in a valid /etc/passwd format, so it chokes, but in
the process of doing so, it "syslog"s each line that is invalid; it's
quite easy to look in /usr/adm/messages (or wherever syslog is
configured to log the messages) to then see the contents of the file,
even though the original file is not readable.

If the file happened to have some lines in a valid /etc/passwd format,
it appears that one could even edit it to some extent.  For example, if
someone were archiving a copy of /etc/passwd for some reason, someone
else could still change their passwd entry in that file (even if it
and/or the directories leading to it are protected against access).

I've just figured this out; is it a well-known bug?  Are there any
other consequences?

Next message: Everett F Batey WA6CRE: "Re: new iss stuff"
Previous message: Dan: "new iss stuff"
Next in thread: Pat Myrto: "Re: "passwd -F" vulnerability?"