*BSD News Article 10760


Return to BSD News archive

Received: by minnie.vk1xwt.ampr.org with NNTP
	id AA629 ; Sat, 06 Feb 93 08:00:28 EST
Path: sserve!manuel.anu.edu.au!munnari.oz.au!spool.mu.edu!agate!agate.berkeley.edu!cgd
From: cgd@eden.CS.Berkeley.EDU (Chris G. Demetriou)
Newsgroups: comp.unix.bsd
Subject: Re: *Big* security leak for users w/o crypt.
Date: 4 Feb 93 11:31:17
Organization: Kernel Hackers 'r' Us
Lines: 34
Message-ID: <CGD.93Feb4113117@eden.CS.Berkeley.EDU>
References: <1kmcqrINN4l@encap.hanse.de> <CGD.93Feb3180816@eden.CS.Berkeley.EDU>
NNTP-Posting-Host: eden.cs.berkeley.edu
In-reply-to: cgd@eden.CS.Berkeley.EDU's message of 3 Feb 93 18:08:16

In article <CGD.93Feb3180816@eden.CS.Berkeley.EDU> cgd@eden.CS.Berkeley.EDU (Chris G. Demetriou) writes:
=>In article <1kmcqrINN4l@encap.hanse.de> maverick@encap.hanse.de (Jan-Oliver Neumann) writes:
=>[ about a problem handling starred-out passwd entries, with the dummy crypt
=>  routine ]
=>
=>i'll make and post a set of diffs to fix this, so that the change will
=>hopefully get merged into the mainstream release channel...

i don't want to know *what* i was thinking when i said this;
any change like this would be nasty, if only because of the way
the password comparisons are handled...

if you're not using the crypt() routine (i.e. the default),
you don't define "DES" when compiling the utils that would use
crypt(), and the password check becomes something like:
"rval = strcmp(p, pwd->pw_passwd);" whereas w/crypt, it looks
like "rval = strcmp(crypt(p, salt), pwd->pw_passwd);".

therefore to fix the problem, you'd need to modify as many files
as you would to install crypt in the first place, and the modifications
wouldn't port "easily" to other crypt-using programs...

if you're at all concerned about security (you should be),
then just get crypt.c from somewhere, and do the right thing,
per the instructions that come w/386bsd...


chris

--
Chris G. Demetriou                                    cgd@cs.berkeley.edu

"Sometimes it is better to have twenty million instructions by
        Friday than twenty million instructions per second." -- Wes Clark