Re: "passwd -F" vulnerability?

Robert Lau (rslau@skat.usc.edu)
Tue, 10 May 1994 20:05:01 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mark: "Re: Time For New Security Package? (was Re: new iss stuff)"
Previous message: Karl Strickland: "Re: new iss stuff"
In reply to: Pat Myrto: "Re: "passwd -F" vulnerability?"
Next in thread: Pat Myrto: "Re: "passwd -F" vulnerability?"

   From: rwing!pat@ole.cdac.com (Pat Myrto)
   Date: Tue, 10 May 94 16:15:56 PDT

   So what?  One can copy /etc/passwd and edit it with an EDITOR.  So?
   Login reads /etc/passwd, not whatever file the user chooses.  Until

   [...]

   Its not a problem.

I think you're missing the point...

The goal might not be to modify a file, sometimes it's enough just to look
at it.  Since passwd is setuid root and is world executable, any user can
use this 'feature' to read any file on any local filesystem or any NFS
filesystems that are mounted root regardless of the permissions on the file.
This includes all files in otherwise private user home directories,
/etc/shadow, whatever.  It doesn't even matter if all parent directories
above the desired file aren't normally readable/searchable by the user.

I'd say that's a problem.

Easy solution, chmod o-rwx /var/adm, /var/log, or wherever passwd sends its
complaints to on your machine...

Robert Lau - Systems Programmer, Unix Systems     213-740-2866
--  University Computing Services                 Internet: rslau@usc.edu
--  University of Southern California             Bitnet:   rslau@uscvm
--  1020 W Jefferson, LA, CA  USA, 90089-0251     UUCP:     ...!uunet!usc!rslau

Next message: Mark: "Re: Time For New Security Package? (was Re: new iss stuff)"
Previous message: Karl Strickland: "Re: new iss stuff"
In reply to: Pat Myrto: "Re: "passwd -F" vulnerability?"
Next in thread: Pat Myrto: "Re: "passwd -F" vulnerability?"