Return to BSD News archive
Received: by minnie.vk1xwt.ampr.org with NNTP id AA629 ; Sat, 06 Feb 93 08:00:28 EST Path: sserve!manuel.anu.edu.au!munnari.oz.au!spool.mu.edu!agate!agate.berkeley.edu!cgd From: cgd@eden.CS.Berkeley.EDU (Chris G. Demetriou) Newsgroups: comp.unix.bsd Subject: Re: *Big* security leak for users w/o crypt. Date: 4 Feb 93 11:31:17 Organization: Kernel Hackers 'r' Us Lines: 34 Message-ID: <CGD.93Feb4113117@eden.CS.Berkeley.EDU> References: <1kmcqrINN4l@encap.hanse.de> <CGD.93Feb3180816@eden.CS.Berkeley.EDU> NNTP-Posting-Host: eden.cs.berkeley.edu In-reply-to: cgd@eden.CS.Berkeley.EDU's message of 3 Feb 93 18:08:16 In article <CGD.93Feb3180816@eden.CS.Berkeley.EDU> cgd@eden.CS.Berkeley.EDU (Chris G. Demetriou) writes: =>In article <1kmcqrINN4l@encap.hanse.de> maverick@encap.hanse.de (Jan-Oliver Neumann) writes: =>[ about a problem handling starred-out passwd entries, with the dummy crypt => routine ] => =>i'll make and post a set of diffs to fix this, so that the change will =>hopefully get merged into the mainstream release channel... i don't want to know *what* i was thinking when i said this; any change like this would be nasty, if only because of the way the password comparisons are handled... if you're not using the crypt() routine (i.e. the default), you don't define "DES" when compiling the utils that would use crypt(), and the password check becomes something like: "rval = strcmp(p, pwd->pw_passwd);" whereas w/crypt, it looks like "rval = strcmp(crypt(p, salt), pwd->pw_passwd);". therefore to fix the problem, you'd need to modify as many files as you would to install crypt in the first place, and the modifications wouldn't port "easily" to other crypt-using programs... if you're at all concerned about security (you should be), then just get crypt.c from somewhere, and do the right thing, per the instructions that come w/386bsd... chris -- Chris G. Demetriou cgd@cs.berkeley.edu "Sometimes it is better to have twenty million instructions by Friday than twenty million instructions per second." -- Wes Clark