From owner-freebsd-security Sat Jan 9 16:32:37 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA05463 for freebsd-security-outgoing; Sat, 9 Jan 1999 16:32:37 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA05455 for ; Sat, 9 Jan 1999 16:32:33 -0800 (PST) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.2/8.7.3) id TAA30435; Sat, 9 Jan 1999 19:32:28 -0500 (EST) (envelope-from jared) Date: Sat, 9 Jan 1999 19:32:28 -0500 From: Jared Mauch To: Barrett Richardson Cc: Jared Mauch , freebsd-security@FreeBSD.ORG Subject: Re: 3.0 rel pwd_mkdb problem(patch) Message-ID: <19990109193228.C30252@puck.nether.net> Mail-Followup-To: Barrett Richardson , freebsd-security@FreeBSD.ORG References: <19990108003140.A13277@puck.nether.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: ; from Barrett Richardson on Fri, Jan 08, 1999 at 05:17:18PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jan 08, 1999 at 05:17:18PM -0500, Barrett Richardson wrote: > > > On Fri, 8 Jan 1999, Jared Mauch wrote: > > > > > I've had a problem recently with people breaking root > > and installing accounts with *no* uid in their pw file entry, > > that way everything comes up with zero for the uid, giving > > the user root privs. I'm not sure how they're obtaining root yet, > > Maybe in addition to your patch you could log who is trying to > run pwd_mkdb with the null id. You could also turn on process accounting > and find out what else he was doing around the same time frame. Yeah, I wasn't too ambitious at the time. I got this from a user also, haven't taken time to look at src yet as i'm on a *slow* conn this weekend, but check this out: --- cut here -- I went through the newuser stuff, set a provisional password, then logged out. I logged back in with ssh and tried to change my passwd. This is what happened... freenet:~$ passwd Changing local password for garph. Old password: New password: Please don't use an all-lower case password. Unusual capitalization, control characters or digits are suggested. New password: Retype new password: passwd: updating the database... pwd_mkdb: no uid for user garph pwd_mkdb: at line #561 pwd_mkdb: /etc/pw.K18778: Inappropriate file type or format passwd: /etc/master.passwd: unchanged freenet:~$ id uid=630(garph) gid=10(user) groups=10(user) --- cut here --- perhaps this is also a passwd bug. - jared > > Just a thought. > > - > > Barrett -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message