"In the previous message, [8LGM] Security Team said..." [ ... details of exploitation of passwd -F deleted ... ] Good clear explanation. Not only explaining how it works, but for fixing it quickly and easily by disabling the option, very valuable for sites where it is deemed not feasable to replace the passwd command (I know of none available that will work with the C2 option off the net - one has to add that capability oneself, and there are a couple of gotchas in making it work properly). Perhaps a similar technique could be used to disable the ability of users to change their full name (-f and running as chfn, another 'feature' that is extremely annoying). BTW - the vulnerability also applies to sites with the C2 conversion done (SunOS), because passwd will ignore /etc/security/passwd.adjunct if the password field in /etc/passwd does not contain '##username'. There might be some difference in the timings of the race, but I suspect not much. Apparantly, for the C2 configuration, passwd triggers on the presence of the '##'. I don't know if the stuff following the '##' is important (like does passwd use that string instead of the actual username for the passwd.adjunct lookup)? Something I will try to find out. But I know without a doubt that if, for example, a NULL passwd is placed in an /etc/passwd entry and then one uses passwd to set the password, it will go into /etc/passwd, not passwd.adjunct. One HAS to add the ##username data to make passwd use the passwd.adjunct file, it will not create that entry on its own. This is a full disclosure that is as close to being done properly as one could ask for, IMO. If any fault could be found, it might be that it was sent close to a weekend, as opposed to waiting till late Sunday or early Monday. But that has to be balanced with getting urgent info out in a hurry vs sitting on it for several days. If its known to be 'in the wild', urgency is greatly increased. Thanks and kudos to the 8lgm folks! PS - expect an advisory from CERT sometime in 1995 - maybe. -- pat@rwing [If all fails, try: rwing!pat@ole.cdac.com] Pat Myrto - Seattle WA "No one has the right to destroy another person's belief by demanding empirical evidence." -- Ann Landers, nationally syndicated advice columnist and Director at Handgun Control Inc.