"In the previous message, Steve Mitchell said..." > > > FYI, this vulnerability exists on 4.1.3_U1. I do not know how > widespread knowledge of this vulnerability is, but I have seen Suns > running a modified passwd program that has "-F option disabled" (according > to the message output by passwd). So somebody out there has known about > it for a while. > > The following trivial perl script allows non-privileged users to > easily read any file on the system. Gleep! I stand corrected. But does this give all the contents of the file that is thus opened (I have not actually tried to exploit this problem, I am not running the stock passwd command). But the fix would seem to be to replace the passwd command. I have a copy of passwd+ I severely hacked on (butchered?) so that it works with the passwd.adjunct file (replaced so users cannot be changing their fullname, another annoying feature of the stock passwd command - users changing their fullname to nonsense or names that do not identify them, etc). -- pat@rwing [If all fails, try: rwing!pat@ole.cdac.com] Pat Myrto - Seattle WA "No one has the right to destroy another person's belief by demanding empirical evidence." -- Ann Landers, nationally syndicated advice columnist and Director at Handgun Control Inc.