Re: "passwd -F" vulnerability?

Paul Daw (pauld@pyramid.com)
Tue, 10 May 94 22:56:29 PDT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Bill Broadley: "Re: "passwd -F" vulnerability? (fwd)"
Previous message: Steven C. Blair: "Re: new iss stuff"
Maybe in reply to: Mike Raffety: ""passwd -F" vulnerability?"
Next in thread: Ken Descoteaux: "Re: "passwd -F" vulnerability?"

>From: Mike Raffety <mike_raffety@il.us.swissbank.com>
>X-Organization: Swiss Bank Corporation
>Message-Id: <9405101634.AA09295@trinity.sbcoc.com>
>To: bugtraq@crimelab.com
>Subject: "passwd -F" vulnerability?
>Sender: bugtraq-owner@Crimelab.COM
>Precedence: bulk
>
>On some Unix systems (e.g., SunOS 4.x), passwd has a "-F" flag allowing
>you to specify the file to use (instead of /etc/passwd).  It appears
>that the passwd program pays no attention to permissions on that file;
>it runs setuid to root (of course), and accesses the file without doing
>any permission checking.
>
>Most files aren't in a valid /etc/passwd format, so it chokes, but in
>the process of doing so, it "syslog"s each line that is invalid; it's
>quite easy to look in /usr/adm/messages (or wherever syslog is
>configured to log the messages) to then see the contents of the file,
>even though the original file is not readable.
>
>If the file happened to have some lines in a valid /etc/passwd format,
>it appears that one could even edit it to some extent.  For example, if
>someone were archiving a copy of /etc/passwd for some reason, someone
>else could still change their passwd entry in that file (even if it
>and/or the directories leading to it are protected against access).
>
>I've just figured this out; is it a well-known bug?  Are there any
>other consequences?
>

I just checked both our BSD and SVR4 OS versions here, and neither
exhibit this behaviour.  We are running our C2 and CSP packages,
which do change the behaviour of the password program somewhat.
The -F option results in an "illegal option" error.

Someone commented that "passwd -f" is similar to "chfn."  Pyramid's
"passwd -f <user>" forces the user to change their password the next
time that they log in.  I haven't poked around on our Suns or
Solbournes.

      -m---------  Paul Daw                      Pyramid Technology Corporation
    ---mmm-------  Engineering Lab Management    3860 North First Street
  -----mmmmm-----  pauld@pyramid.com -or-        San Jose, CA
-------mmmmmmm---  uunet!pyramid!pauld           95134

Next message: Bill Broadley: "Re: "passwd -F" vulnerability? (fwd)"
Previous message: Steven C. Blair: "Re: new iss stuff"
Maybe in reply to: Mike Raffety: ""passwd -F" vulnerability?"
Next in thread: Ken Descoteaux: "Re: "passwd -F" vulnerability?"