Return to BSD News archive
Received: by minnie.vk1xwt.ampr.org with NNTP id AA685 ; Sat, 06 Feb 93 21:01:10 EST Path: sserve!manuel.anu.edu.au!munnari.oz.au!spool.mu.edu!clark!serval!news.u.washington.edu!usenet.coe.montana.edu!saimiri.primate.wisc.edu!zaphod.mps.ohio-state.edu!caen!destroyer!ccs.itd.umich.edu!nosegoblin.css.itd.umich.edu!pauls From: pauls@css.itd.umich.edu (Paul Southworth) Newsgroups: comp.unix.bsd Subject: Re: *Big* security leak for users w/o crypt. Date: 5 Feb 1993 02:01:54 GMT Organization: University of Michigan ITD Consulting and Support Services Lines: 23 Message-ID: <1kshqiINN3gv@stimpy.css.itd.umich.edu> References: <1kmcqrINN4l@encap.hanse.de> NNTP-Posting-Host: nosegoblin.css.itd.umich.edu In article <1kmcqrINN4l@encap.hanse.de> maverick@encap.hanse.de (Jan-Oliver Neumann) writes: >Although a system w/o a working version of crypt() (it was excluded from >the 386BSD Distributions because of U.S. export regulations) is already >insecure, anyone can now login as "bin" or "daemon". Maybe this is an ignorant comment, but since the * is the password, and *with* DES these accounts can be accessed via an su by a process like cron running with uid 0 (thereby bypassing the need for a password with the su) one could just as easily change the password to something other than *, right? Perhaps a brief note should just be included in FAQ or docs telling the sysadm to assign a passwd to those ASAP and then get with crypt quickly thereafter. I mean, having password of * is stupid, but if my daemon's password is as&^jk12-9 who's going to break in without getting their hands on /etc/master.passwd? Not that it's really a security "fix" but it does make it a bit tighter anyway to machines on the net or with dial-ups that have only one user (like me).