Bugtraq archives for 2nd quarter (Apr-Jun) 1994: Re: "passwd -F" vulnerability?
Re: "passwd -F" vulnerability?
Pat Myrto (
rwing!pat
ole.cdac.com)
Tue, 10 May 94 22:41:36 PDT
"In the previous message, Robert Lau said..."
>
> From: rwing!patole.cdac.com (Pat Myrto)
> Date: Tue, 10 May 94 16:15:56 PDT
>
> So what? One can copy /etc/passwd and edit it with an EDITOR. So?
> Login reads /etc/passwd, not whatever file the user chooses. Until
>
> [...]
>
> Its not a problem.
>
> I think you're missing the point...
>
> The goal might not be to modify a file, sometimes it's enough just to look
> at it. Since passwd is setuid root and is world executable, any user can
> use this 'feature' to read any file on any local filesystem or any NFS
> filesystems that are mounted root regardless of the permissions on the file.
> This includes all files in otherwise private user home directories,
> /etc/shadow, whatever. It doesn't even matter if all parent directories
> above the desired file aren't normally readable/searchable by the user.
>
> I'd say that's a problem.
>
> Easy solution, chmod o-rwx /var/adm, /var/log, or wherever passwd sends its
> complaints to on your machine...
<sheepishly>
Like I said, I stand corrected; I had replaced passwd some time ago
because I didn't want users to be able to change their fullname field,
so I couldn't readily test it. Users were sticking any old thing
in the GECOS field. So I butchered up passwd+ so it will work
with the passwd.adjuct file and pwdauthd daemon.
> Robert Lau - Systems Programmer, Unix Systems 213-740-2866
> -- University Computing Services Internet: rslauusc.edu
> -- University of Southern California Bitnet: rslauuscvm
> -- 1020 W Jefferson, LA, CA USA, 90089-0251 UUCP: ...!uunet!usc!rslau
>
--
patrwing [If all fails, try: rwing!patole.cdac.com] Pat Myrto - Seattle WA
"No one has the right to destroy another person's belief by demanding
empirical evidence." -- Ann Landers, nationally syndicated advice columnist
and Director at Handgun Control Inc.
