From owner-freebsd-bugs Tue Aug 20 20:00:06 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA01585 for bugs-outgoing; Tue, 20 Aug 1996 20:00:06 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA01552; Tue, 20 Aug 1996 20:00:03 -0700 (PDT) Resent-Date: Tue, 20 Aug 1996 20:00:03 -0700 (PDT) Resent-Message-Id: <199608210300.UAA01552@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, gord@gnu.ai.mit.edu Received: from zeus.engg.ucalgary.ca (pc26.engg.ucalgary.ca [136.159.114.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA01277 for ; Tue, 20 Aug 1996 19:52:34 -0700 (PDT) Received: (from root@localhost) by zeus.engg.ucalgary.ca (8.7.5/8.7.3) id UAA00889; Tue, 20 Aug 1996 20:52:31 -0600 (MDT) Message-Id: <199608210252.UAA00889@zeus.engg.ucalgary.ca> Date: Tue, 20 Aug 1996 20:52:31 -0600 (MDT) From: Gord Matzigkeit Reply-To: gord@gnu.ai.mit.edu To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/1519: chpass creates an NIS security hole Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 1519 >Category: bin >Synopsis: chpass creates an NIS security hole >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Aug 20 20:00:02 PDT 1996 >Last-Modified: >Originator: >Organization: Profit Press >Release: FreeBSD 2.1-STABLE i386 >Environment: FreeBSD 2.1.5-RELEASE #1: Tue Aug 20 02:52:03 MDT 1996 root@zeus.engg.ucalgary.ca:/usr/src/sys/compile/ZEUS >Description: If you use chpass -a, as root, to add the NIS magic cookie to your /etc/master.passwd file, then it will create a line that looks like: +::0:0::0:0::: pwd_mkdb expands this to: +:*:0:0::: I cite the passwd(5) manual page: This is important to remember because most people are accustomed to using an NIS wildcard entry that looks like this: +:*:0:0::: This often leads to new FreeBSD administrators choosing NIS entries for their master.passwd files that look like this: +:*:0:0:::::: Or worse, this +::0:0:::::: DO _NOT_ PUT ENTRIES LIKE THIS IN YOUR master.passwd FILE!! The first tells FreeBSD to remap all passwords to `*' (which will prevent anybody from logging in) and to remap all UIDs and GIDs to 0 (which will make ev- erybody appear to be the superuser). The second case just maps all UIDs and GIDs to 0, which means that all users will appear to be root! It seems that chpass(1) should be aware of the above conditions, and avoid them if possible. >How-To-Repeat: As root, innocently run: zeus:/# chpass -a '+:::::::::' chpass: rebuilding the database... chpass: done zeus:/# tail -1 /etc/master.passwd +::0:0::0:0::: zeus:/# tail -1 /etc/passwd +:*:0:0::: zeus:/# >Fix: Unknown >Audit-Trail: >Unformatted: Gord Matzigkeit