Re: "passwd -F" vulnerability?
John Macdonald (jmm@elegant.com)
Wed, 11 May 1994 15:59:48 -0400
Pat Myrto wrote :
||
|| "In the previous message, Mike Raffety said..."
|| >
|| > On some Unix systems (e.g., SunOS 4.x), passwd has a "-F" flag allowing
|| > you to specify the file to use (instead of /etc/passwd). It appears
|| > that the passwd program pays no attention to permissions on that file;
|| > it runs setuid to root (of course), and accesses the file without doing
|| > any permission checking.
||
|| So what? One can copy /etc/passwd and edit it with an EDITOR. So?
|| Login reads /etc/passwd, not whatever file the user chooses. Until
|| the user can write the changes into /etc/passwd (and sometimes
|| /etc/security/passwd.adjunct), he has accomplished NOTHING.
So this permits someone to read a file that is supposed to
be only readable by the owner.
He never said that this was a way to modify /etc/passwd. Letting
all users read any file on your system is a security bug, whether
it gives them immediate root access or not.
|| Remeber, the passwd command does not determine account access.
||
|| [ ... ]
||
|| > I've just figured this out; is it a well-known bug? Are there any
|| > other consequences?
||
|| Its not a problem.
Remember, access permissions are supposed to determine which files
you can read. As stated, it *is* a problem (I haven't tried to
verify to what extent the statement is correct or complete).
--
That is 27 years ago, or about half an eternity in | John Macdonald
computer years. - Alan Tibbetts | jmm@Elegant.COM