Kevin Johnson writes: : :> It seems that just about every system that has installed the "shadow" :> password suite (the free version from John F. Haugh II. It was posted :> on comp.sources.unix from memory.) is vulnerable with this. : :Hmmm... I can't seem to reproduce it with Haugh's shadow passwd package. : :The arg processing in lmain.c uses getopt. :Is it a bug in some implementations of getopt? Or are you testing an :older version of the package than I have source code for (it appears to :be 3.3)? The problem is this: ........ case 'f': fflg++; preauth_flag++; STRFCPY (name, optarg); break; ........ /* * Allow authentication bypass only if real UID is zero. */ if ((rflg || fflg) && getuid () != 0) { fprintf(stderr, "%s: permission denied\n", Prog); exit (1); } ........ This is from shadow-3.3.1. As you can see, the only protection on the -f flag, is that the real uid is required to be zero already. The only problem is that rlogind, telnetd and getty run login as ruid/euid root. So, if any of these programs (or any others on the system...) allow the -froot to get through... kerblam! Our shadow-3.3.1 was *definately* vulnerable! (nothing on our system was using -f, so we nuked it) -Peter -- Peter Wemm <peter@DIALix.oz.au> - NIC Handle: PW65 - The keeper of "NN" "My computer is better than your computer" - Anonymous (Overheard, shortly after the creation of the second computer....)