*BSD News Article 10791


Return to BSD News archive

Received: by minnie.vk1xwt.ampr.org with NNTP
	id AA685 ; Sat, 06 Feb 93 21:01:10 EST
Path: sserve!manuel.anu.edu.au!munnari.oz.au!spool.mu.edu!clark!serval!news.u.washington.edu!usenet.coe.montana.edu!saimiri.primate.wisc.edu!zaphod.mps.ohio-state.edu!caen!destroyer!ccs.itd.umich.edu!nosegoblin.css.itd.umich.edu!pauls
From: pauls@css.itd.umich.edu (Paul Southworth)
Newsgroups: comp.unix.bsd
Subject: Re: *Big* security leak for users w/o crypt.
Date: 5 Feb 1993 02:01:54 GMT
Organization: University of Michigan ITD Consulting and Support Services
Lines: 23
Message-ID: <1kshqiINN3gv@stimpy.css.itd.umich.edu>
References: <1kmcqrINN4l@encap.hanse.de>
NNTP-Posting-Host: nosegoblin.css.itd.umich.edu

In article <1kmcqrINN4l@encap.hanse.de> maverick@encap.hanse.de (Jan-Oliver Neumann) writes:
>Although a system w/o a working version of crypt() (it was excluded from
>the 386BSD Distributions because of U.S. export regulations) is already
>insecure, anyone can now login as "bin" or "daemon". 


Maybe this is an ignorant comment, but since the * is the password, and
*with* DES these accounts can be accessed via an su by a process like
cron running with uid 0 (thereby bypassing the need for a password with
the su) one could just as easily change the password to something other
than *, right?

Perhaps a brief note should just be included in FAQ or docs telling the
sysadm to assign a passwd to those ASAP and then get with crypt quickly
thereafter.  

I mean, having password of * is stupid, but if my daemon's password
is as&^jk12-9 who's going to break in without getting their hands
on /etc/master.passwd?

Not that it's really a security "fix" but it does make it a bit
tighter anyway to machines on the net or with dial-ups that have
only one user (like me).