From owner-freebsd-bugs Tue Mar 12 3:10:10 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2DB0D37B43C for ; Tue, 12 Mar 2002 03:10:01 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g2CBA1Q98116; Tue, 12 Mar 2002 03:10:01 -0800 (PST) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 8460037B436 for ; Tue, 12 Mar 2002 03:00:58 -0800 (PST) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g2CB0wv92939; Tue, 12 Mar 2002 03:00:58 -0800 (PST) (envelope-from nobody) Message-Id: <200203121100.g2CB0wv92939@freefall.freebsd.org> Date: Tue, 12 Mar 2002 03:00:58 -0800 (PST) From: Slawomir Parysek To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: i386/35816: no one can change password, because "passwd DB is locked" Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 35816 >Category: i386 >Synopsis: no one can change password, because "passwd DB is locked" >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Mar 12 03:10:01 PST 2002 >Closed-Date: >Last-Modified: >Originator: Slawomir Parysek >Release: 4.5-RELEASE >Organization: ArgNet >Environment: FreeBSD my.host.name.com.pl 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Jan 28 14:31:56 GMT 2002 murray@builder.freebsdmall.com:/usr/src/sys/compile/GENERIC i386 >Description: When one (malicious) user edit his own passwd database (via $ chpass command), no one can change password, because "passwd DB is locked". Also root cant't change any information in passwd database, eg add/delete It is very importand problem especialy on systems whih acts as shell box (TM.). >How-To-Repeat: how to repeat, huh, thats simple: log in into accont and leave an running "chpass" command on screen and log out, huh noone can change his/her passd and/or any other info by editing /etc/passwd* etc >Fix: how to fix it? hmm... block acces to command chpass for all suspicous users ;-P >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message