From owner-freebsd-security  Wed Jun  6 19: 0:12 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16])
	by hub.freebsd.org (Postfix) with ESMTP id D1FFA37B403
	for <freebsd-security@FreeBSD.ORG>; Wed,  6 Jun 2001 19:00:04 -0700 (PDT)
	(envelope-from on@cs.ait.ac.th)
Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5])
	by mail.cs.ait.ac.th (8.11.3/8.9.3) with ESMTP id f57A8mB10196;
	Thu, 7 Jun 2001 17:08:49 +0700 (ICT)
Received: (from on@localhost)
	by banyan.cs.ait.ac.th (8.8.5/8.8.5) id IAA25340;
	Thu, 7 Jun 2001 08:59:56 +0700 (ICT)
Date: Thu, 7 Jun 2001 08:59:56 +0700 (ICT)
Message-Id: <200106070159.IAA25340@banyan.cs.ait.ac.th>
X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to on@banyan.cs.ait.ac.th using -f
From: Olivier Nicole <on@cs.ait.ac.th>
To: david@slis-two.lis.fsu.edu
Cc: freebsd-security@FreeBSD.ORG
In-reply-to: 
	<Pine.BSF.4.30_heb2.09.0106061256090.51404-100000@slis-two.lis.fsu.edu>
	(message from David Miner on Wed, 6 Jun 2001 12:58:26 -0400 (EDT))
Subject: Re: Encrypted passwords
References:  <Pine.BSF.4.30_heb2.09.0106061256090.51404-100000@slis-two.lis.fsu.edu>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

David,

>I changed it to a system call from perl and went on.

As a first step I would try to make sure the system call is what I
really want: replace system' with print' and carefull check for any
strange character. I'd be specially suspicious about the contents of
that variable that holds the password.

Second I would consider that the system call is made under bourne
shell, it may have a different environment than the shell you use for
every day work, and it may simply be missing some environment
variable.

I understood you run the scrip as root, it is not a setuid script?
Else you'd need to untaint the variables.

As a last resort, I'd copy the script, remove all the fancy interface
and keep onlythe system call. Try to split it, add some print, some pw
usershow, etc.

Is your system running NIS? It could be a problem that the new user
has not yet propagated through NIS and then the password cannot be
set...

Olivier

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message