> > The passwd command under AIX 4.1.4 does not ask for the old password if > you are root, even if you are changing root's password. To me this is a > serious security flaw, but I haven't had any satisfaction from IBM or my > suppliers (that said they would pass on my opinion). > > Am I alone in thinking this is a serious problem? You may not be "alone" but you may not be in very good company. It is only a security problem to someone who leaves a root shell logged in and unattended. If you do this than a creative cracker will scatter some suid shell's and trojan suid applications (something that looks like its *supposed to be suid*. Then he'll look for tripwire and work on replacing it with a hacked version that will ignore his backdoors. Changing root password isn't satisfactory to a cracker -- you'll know that the gig is up very soon. About the only real danger I see in it is some sort of denial of service script where root is tricked into running an expect script which forces a change to root's password. This isn't very subtle -- it would be much more clever to use this spoof on random user id's (by linking into one of root's binaries or scripts). This would have the insidious effect of making it appear that users were forgetting their passwords more frequently than usual -- or that the shell accounts were being cracked all over the place. This would particularly unpleasant if it was the passwd command itself that the trojan linked into. In either of these scenarios the real problem was in root's practices. This minor "failure" of passwd doesn't contribute to any exploit of root -- it just removes a minor inconvenience. If the cracker is at a root shell he can use any call to crypt() to create a password and vi, emacs, awk, sed, perl or any similar utility to patch it directly into the /etc/passwd file. If you can imagine a scenario where AIX's behaviior is a substantive threat, please let me, let us all, know.