From owner-freebsd-questions  Tue Dec  1 17:55:11 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id RAA20169
          for freebsd-questions-outgoing; Tue, 1 Dec 1998 17:55:11 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from n4hhe.ampr.org (tnt4-115.HiWAAY.net [208.166.127.115])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA20158
          for <freebsd-questions@FreeBSD.ORG>; Tue, 1 Dec 1998 17:54:58 -0800 (PST)
          (envelope-from dkelly@n4hhe.ampr.org)
Received: from n4hhe.ampr.org (localhost.ampr.org [127.0.0.1])
	by n4hhe.ampr.org (8.9.1/8.9.1) with ESMTP id TAA07732;
	Tue, 1 Dec 1998 19:25:12 -0600 (CST)
	(envelope-from dkelly@n4hhe.ampr.org)
Message-Id: <199812020125.TAA07732@n4hhe.ampr.org>
X-Mailer: exmh version 2.0.2 2/24/98
To: Jeff Gray <jwg@netbox.com>
cc: Questions at FreeBSD <freebsd-questions@FreeBSD.ORG>
From: David Kelly <dkelly@hiwaay.net>
Subject: Re: /etc/passwd - how to protect from spammers 
In-reply-to: Message from Jeff Gray <jwg@netbox.com> 
   of "Tue, 01 Dec 1998 10:35:23 PST." <Pine.BSF.3.96.981201103118.4117A-100000@cm110119.cableco-op.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 01 Dec 1998 19:25:12 -0600
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Jeff Gray writes:
> We run a multiuser system and as /etc/passwd is world readable it is easy
> for a spammer to get access to our user list.  We limit access via a
> restricted shell but do offer pine - easy to attach /etc/passwd.
> Restricting pine so as to prohibit attachments would be a severe
> restriction.
> 
> A client/user mentioned that in HP Unix there is a
> chroot wrapper of some kind which can block this access.  Could not find
> anything in the FreeBSD archives.

Have you tried "chmod go-rwx /etc/passwd" ?

I haven't tried it myself under FreeBSD but have had it accidently
happen on SGI Irix systems. The biggest thing it breaks is the use of ~
username expansion. Also an "ls -l" will show user id numbers, not
names.

Under FreeBSD one would have to hack the passwd db utilies as /etc/passwd 
is just a compatibility dummy file. When a password is changed a new 
/etc/passwd is written (possibly losing the prior access permissions). 
/etc/master.passwd is where the real data is kept.

Looks like you also need to protect /etc/pwd.db.

--
David Kelly N4HHE, dkelly@nospam.hiwaay.net
=====================================================================
The human mind ordinarily operates at only ten percent of its
capacity -- the rest is overhead for the operating system.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message