Date: Tue, 12 Mar 2002 03:00:58 -0800 (PST) From: Slawomir Parysek <irys@irc.pl> To: freebsd-gnats-submit@FreeBSD.org Subject: i386/35816: no one can change password, because "passwd DB is locked" Message-ID: <200203121100.g2CB0wv92939@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 35816
>Category: i386
>Synopsis: no one can change password, because "passwd DB is locked"
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Mar 12 03:10:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator: Slawomir Parysek
>Release: 4.5-RELEASE
>Organization:
ArgNet
>Environment:
FreeBSD my.host.name.com.pl 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Jan 28 14:31:56 GMT 2002 murray@builder.freebsdmall.com:/usr/src/sys/compile/GENERIC i386
>Description:
When one (malicious) user edit his own passwd database (via $ chpass command), no one can change password, because "passwd DB is locked". Also root cant't change any information in passwd database, eg add/delete
It is very importand problem especialy on systems whih acts as shell box (TM.).
>How-To-Repeat:
how to repeat, huh, thats simple:
log in into accont and leave an running "chpass" command on screen and log out, huh noone can change his/her passd and/or any other info by editing /etc/passwd* etc
>Fix:
how to fix it? hmm... block acces to command chpass for all suspicous users ;-P
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203121100.g2CB0wv92939>