Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!simtel!news.kei.com!news.mathworks.com!tank.news.pipex.net!pipex!howland.reston.ans.net!swrinde!ringer.cs.utsa.edu!news.cais.net!news.cinenet.net!island.interverse.com!user
From: richard@interverse.com (Richard Gilligan)
Newsgroups: comp.unix.bsd.bsdi.misc
Subject: Horrifying Security Hole Maker-BSDI feature or bug?
Date: Tue, 03 Oct 1995 15:51:15 -0800
Organization: Cinenet Communications,Internet Access,Los Angeles;310-301-4500
Lines: 45
Message-ID: <richard-0310951551150001@island.interverse.com>
NNTP-Posting-Host: 206.85.6.70
Some of you might remember my posting awhile back when I first experienced
this nightmare and thought (for complex reasons of low self-esteem, low
pay, and low blood sugar) that that my system was the victim of a cracker
attack. After two go rounds I wonder differently.
The nightmare begins when I discover that all the passwords have been
deleted from /etc/master.passwd. The effect is that anyone can login
simply by typing a user name at the login prompt-the password prompt is
skipped and they are greated with a quote and a shell prompt. Security is
not completely compromised however-one must still know a valid user name
(although username "root" will work and thats a pretty easy name to
guess).
I now believe I have isolated the proximate cause of the problem.
When I use the "adduser" command, I can reliably make passwords disappear
by attempting to put the new user in a group that does not yet exist.
"adduser"
tells me that the group does not exist and asks if I want it created, I do
[yes], and we proceed with adding the new user. Everything appears
normal.
(Except login is easier and everyone can do their own sysadmin chores).
Would some of you try to reproduce this?
Copy your master.passwd file before trying this!
And if this feature/bug bites you, you will need to copy it
(master.passwd) back and do "pwd_mkdb" to rebuild the password database.
If in fact it turns out that the code for this behavior is built into the
BSDI distribution that we have all paid for, perhaps we could encourage
BSD to improve the interface abit (when I want to disappear passwords will
I remember that this can be done easily using the "adduser" command? Not!
"rm_pwd" would be more intuitive.)
If the code is unique to my machine, I will of course be happy to make it
available via ftp.
Thanks in advance for you participation in this effort,
--
Richard Gilligan
Web Site Software Design and Implementation email richard@interverse.com
InterVerse Communications phone 310-392-2451
171 Pier Ave. #141 fax 310-581-1925
Santa Monica CA 90405 server http://interverse.com