On some Unix systems (e.g., SunOS 4.x), passwd has a "-F" flag allowing you to specify the file to use (instead of /etc/passwd). It appears that the passwd program pays no attention to permissions on that file; it runs setuid to root (of course), and accesses the file without doing any permission checking. Most files aren't in a valid /etc/passwd format, so it chokes, but in the process of doing so, it "syslog"s each line that is invalid; it's quite easy to look in /usr/adm/messages (or wherever syslog is configured to log the messages) to then see the contents of the file, even though the original file is not readable. If the file happened to have some lines in a valid /etc/passwd format, it appears that one could even edit it to some extent. For example, if someone were archiving a copy of /etc/passwd for some reason, someone else could still change their passwd entry in that file (even if it and/or the directories leading to it are protected against access). I've just figured this out; is it a well-known bug? Are there any other consequences?