Date: Mon, 9 Sep 1996 08:16:45 +0300 (EET DST) From: Seppo Kallio <kallio@cc.jyu.fi> To: Joerg Wunsch <joerg_wunsch@uriah.heep.sax.de> Cc: FreeBSD hackers <freebsd-hackers@freebsd.org>, Wolfram Schneider <wosch@cs.tu-berlin.de> Subject: Re: SECURITY HOLE in FreeBSD 2.1.5 ????????!!!!!!! Message-ID: <Pine.SOL.3.92.960909080801.1485A-100000@kanto.cc.jyu.fi> In-Reply-To: <199609070742.JAA08466@uriah.heep.sax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
> > It indeed creates this file, but you should have UTSL'ed before. It > is deliberately created with ``insecure'' permissions, and it is the > new copy of /etc/passwd if the -p option has been specified. Thus, it > doesn't contain passwords. Then it is OK. The name was missleading me. > > We cannot add users to the system when someone is using passwd command. > > It is really big problem in a node having 4000 accounts when we try to add > > 1000 account now when new students come in start of September. > > Passwd command should not lock the passwd files for the entire time after > > user type passwd to the time he/she succeeds to type his/hers new passwd! > > Of course, the passwd command *should* lock the master password file > while modifications are in progress. Yes. But not right after user pushes the enter putton after passwd -command. That is not all the time user is "in" the passwd command. As you say "while modifications are in progress". There is no modification in progress until user pushes enter after the second new passwd. Or do you agree? > However, you are perhaps > interested in Guido's ``incremental update'' modifications: > > revision 1.11 > date: 1996/07/01 19:38:27; author: guido; state: Exp; lines: +218 -133 > Implement incremental passwd database updates. This is done by ading a '-u' > option to pwd_mkdb and adding this option to utilities invoking it. > Further, the filling of both the secure and insecure databases has been > merged into one loop giving also a performance improvemnet. Can you tell me, where I can find this modification? > Btw., i found a real security hole while browsing through the sources: > adduser backs up the contents of master.passwd into a world readable > file in case pwd_mkdb(8) returned an error. Wolfram, can you fix this > please (by setting umask(066) first, i think)? > > -- > cheers, J"org Thank you. Seppo Kallio kallio@jyu.fi Computing Center Fax +358-14-603611 U of Jyväskylä 62.14N 25.44E Phone +358-14-603606 PL 35, 40351 Jyväskylä, Finland http://www.jyu.fi/~kallio
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.3.92.960909080801.1485A-100000>