From owner-freebsd-security  Fri Jan  8 14:20:32 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA03696
          for freebsd-security-outgoing; Fri, 8 Jan 1999 14:20:32 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from phoenix (phoenix.aye.net [206.185.8.134])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA03689
          for <freebsd-security@FreeBSD.ORG>; Fri, 8 Jan 1999 14:20:29 -0800 (PST)
          (envelope-from brich@aye.net)
Received: (qmail 15375 invoked by uid 7506); 8 Jan 1999 22:17:18 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 8 Jan 1999 22:17:18 -0000
Date: Fri, 8 Jan 1999 17:17:18 -0500 (EST)
From: Barrett Richardson <brich@aye.net>
To: Jared Mauch <jared@puck.nether.net>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: 3.0 rel pwd_mkdb problem(patch)
In-Reply-To: <19990108003140.A13277@puck.nether.net>
Message-ID: <Pine.BSF.3.96.990108171019.12973A-100000@phoenix.aye.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org



On Fri, 8 Jan 1999, Jared Mauch wrote:

> 
> 	I've had a problem recently with people breaking root
> and installing accounts with *no* uid in their pw file entry,
> that way everything comes up with zero for the uid, giving
> the user root privs.  I'm not sure how they're obtaining root yet,

Maybe in addition to your patch you could log who is trying to
run pwd_mkdb with the null id. You could also turn on process accounting
and find out what else he was doing around the same time frame.

Just a thought.

-

Barrett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message