>Yes, I remember we found that one in 87, probably with SunOS 3.5. >There was a possibility to corrupt a file in the passwd format with >that trick and the NIS (yppasswdd), but apparently no possibility to >make a correct change of any passwd. The worst case was the >possibility to remove parts of /etc/passwd. This might have been the common (at the time) bug that allowed overwriting parts of the password file with chfn, followed by another passwd call thatb woul leave an entry with a 0 uid. There was no checking on valid entries, so that when an invalid entry was read it would e.g. only use the user name but the uid and gid would remain 0. For thos epeople who use NIS, the solution is simple: chmod u-s /bin/passwd. NIS passwd doesn't require root access. Casper