From owner-freebsd-security  Sun Jan 28 15:03:29 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id PAA08881
          for security-outgoing; Sun, 28 Jan 1996 15:03:29 -0800 (PST)
Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id PAA08871
          for <freebsd-security@freebsd.org>; Sun, 28 Jan 1996 15:03:20 -0800 (PST)
Received: from msmith@localhost by genesis.atrad.adelaide.edu.au (8.6.12/8.6.9) id JAA08301; Mon, 29 Jan 1996 09:45:30 +1030
From: Michael Smith <msmith@atrad.adelaide.edu.au>
Message-Id: <199601282315.JAA08301@genesis.atrad.adelaide.edu.au>
Subject: Re: Temporary passwd files in /etc?
To: taob@io.org (Brian Tao)
Date: Mon, 29 Jan 1996 09:45:29 +1030 (CST)
Cc: freebsd-security@freebsd.org
In-Reply-To: <Pine.BSF.3.91.960128130513.29165A-100000@zap.io.org> from "Brian Tao" at Jan 28, 96 01:07:03 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
Precedence: bulk

Brian Tao stands accused of saying:
> 
>     I found these two files lying around in the /etc directory of one
> of our FreeBSD 2.1.0-RELEASE machines here.
> 
> -rw-r--r--  1 root  wheel      459403 Jan 20 15:35 pw.007939.orig
> -rw-rw-rw-  1 root  wheel      612563 Jan 25 19:06 pw.021282~
> 
>     pw.021282~ is a world readable/writeable copy of the master.passwd
> file.  How did either of those files get there?  Do the serial numbers
> on them look familiar to anyone (pids?).

The second is probably an emacs backup file.  It looks like root has
emacs as its editor, or someone su'd to root and root's .cshrc doesn't
override EDITOR, and also has a really bogus umask setting.  This is a
_really_good_ reason not to ever use emacs as root's editor.

The former; hmm.  .orig is a patch(1) thing; have you used diff/patch to
pass changes to your password database around?

> Brian Tao (BT300, taob@io.org)

-- 
]] Mike Smith, Software Engineer        msmith@atrad.adelaide.edu.au    [[
]] Genesis Software                     genesis@atrad.adelaide.edu.au   [[
]] High-speed data acquisition and      (GSM mobile) 0411-222-496       [[
]] realtime instrument control          (ph/fax)  +61-8-267-3039        [[
]] "wherever you go, there you are" - Buckaroo Banzai                   [[