OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 2nd quarter (Apr-Jun) 1994: Re: "passwd -F" vulnerability?

Re: "passwd -F" vulnerability?

John Macdonald (jmmelegant.com)
Wed, 11 May 1994 15:59:48 -0400 

Pat Myrto wrote :
|| 
|| "In the previous message, Mike Raffety said..."
|| > 
|| > On some Unix systems (e.g., SunOS 4.x), passwd has a "-F" flag allowing
|| > you to specify the file to use (instead of /etc/passwd).  It appears
|| > that the passwd program pays no attention to permissions on that file;
|| > it runs setuid to root (of course), and accesses the file without doing
|| > any permission checking.
|| 
|| So what?  One can copy /etc/passwd and edit it with an EDITOR.  So?
|| Login reads /etc/passwd, not whatever file the user chooses.  Until
|| the user can write the changes into /etc/passwd (and sometimes
|| /etc/security/passwd.adjunct), he has accomplished NOTHING.

So this permits someone to read a file that is supposed to
be only readable by the owner.

He never said that this was a way to modify /etc/passwd.  Letting
all users read any file on your system is a security bug, whether
it gives them immediate root access or not.

|| Remeber, the passwd command does not determine account access.
|| 
|| [ ... ]
|| 
|| > I've just figured this out; is it a well-known bug?  Are there any
|| > other consequences?
|| 
|| Its not a problem.

Remember, access permissions are supposed to determine which files
you can read.  As stated, it *is* a problem (I haven't tried to
verify to what extent the statement is correct or complete).
-- 
That is 27 years ago, or about half an eternity in | John Macdonald
    computer years.        - Alan Tibbetts         |   jmmElegant.COM