Date: Sat, 7 Sep 1996 09:31:39 +0300 (EET DST) From: Seppo Kallio <kallio@cc.jyu.fi> To: hackers@freebsd.org Cc: current@freebsd.org Subject: SECURITY HOLE in FreeBSD 2.1.5 ????????!!!!!!! Message-ID: <Pine.SOL.3.92.960907091945.28337C-100000@kanto.cc.jyu.fi> In-Reply-To: <31D3C997.CA9F25F@fa.tdktca.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I think pwd_mkdb is making a temporaly file /etc/master.passwd.orig with read permissions to all. It is temporaly file, but when we have 4000 accounts the file exists for a while. I found this file in /etc directory after user adding procedures started to complain about the existence of this file. Second alternative is bug in our scripts, but I have not found that file name in them (I have not the author of our scripts). ----------- Plus this hole, we have had these problems: We cannot add users to the system when someone is using passwd command. It is really big problem in a node having 4000 accounts when we try to add 1000 account now when new students come in start of September. Passwd command should not lock the passwd files for the entire time after user type passwd to the time he/she succeeds to type his/hers new passwd! The adduser should manage the locking situation better. Seppo Kallio kallio@jyu.fi Computing Center Fax +358-14-603611 U of Jyväskylä 62.14N 25.44E Phone +358-14-603606 PL 35, 40351 Jyväskylä, Finland http://www.jyu.fi/~kallio
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.3.92.960907091945.28337C-100000>