Re: DEC OSF/1 Enhanced Security passwd problem

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: (no name): "Re: DEC OSF/1 Enhanced Security passwd problem"
• Previous message: Tim DiLauro: "DEC OSF/1 Enhanced Security passwd problem"
• Maybe in reply to: Marc J. Fraioli: "DEC OSF/1 Enhanced Security passwd problem"
• Next in thread: (no name): "Re: DEC OSF/1 Enhanced Security passwd problem"

> I'm having trouble w/ DEC OSF/1 V2.0 Enhanced Security.  Just
> yesterday, the passwd program decided to be very friendly and let
> anyone (except root) change anyone else's password.  [...]

> Any user can type "passwd username" to change anyone's password
> WITHOUT supplying the old password.  [...]  Strangely, when root
> attempts to change someone else's password, the "Old password:"
> prompt is given.  It's almost like it's reversing the result when
> checking whether the user should have to supply the old password.

> Any ideas are welcome.

It seems almost too obvious to need saying...but have you checked your
passwd binary against the distribution media (which I hope you have
kept, never un-writelocked)?  This sounds like exactly what I'd expect
if someone broke in, looked through passwd for a place where it checks
for root privilege, and reversed the following conditional branch.
(This would be a pretty incompetent cracker, but something tells me
Sturgeon's Law is as true of crackers as it is of other things.)

					der Mouse

			    mouse@collatz.mcrcim.mcgill.edu

• Next message: (no name): "Re: DEC OSF/1 Enhanced Security passwd problem"
• Previous message: Tim DiLauro: "DEC OSF/1 Enhanced Security passwd problem"
• Maybe in reply to: Marc J. Fraioli: "DEC OSF/1 Enhanced Security passwd problem"
• Next in thread: (no name): "Re: DEC OSF/1 Enhanced Security passwd problem"