*BSD News Article 24984


Return to BSD News archive

Path: sserve!newshost.anu.edu.au!munnari.oz.au!news.Hawaii.Edu!ames!agate!howland.reston.ans.net!cs.utexas.edu!utnut!torn!nott!uotcsi2!revcan!micor!latour!zone4!zone4!not-for-mail
From: roo@zone4.ocunix.on.ca (Andrew Low)
Newsgroups: comp.os.386bsd.bugs
Subject: Re: 386bsd login security bug
Date: 14 Dec 1993 02:19:16 -0500
Organization: Zone4
Lines: 19
Message-ID: <2ejpdk$jhs@zone4.ocunix.on.ca>
References: <chrisjCHypxr.94s@netcom.com>
NNTP-Posting-Host: zone4.ocunix.on.ca

In article <chrisjCHypxr.94s@netcom.com> 
chrisj@netcom.com (Christopher T. Jewell) writes:
>
>The following error exists in /usr/src/usr.bin/login/login.c on 386BSD
>0.1 with all the patchkits applied: if the password entry contains no
>password, login.c permits the login to proceed even if the uid being
>logged in is 0 and the tty is not marked secure.

I just discovered this myself and was very suprised.  I was trying
to allow 'root' to have no password, but only allow root logins from
the console (secure) or let people in the group wheel 'su' to root.

If it's a 'feature', I'd like to hear the defence for this behaviour.
Until then I too consider it a bug that needs to be fixed. (I'm using
NetBSD-0.9).  The patch seems simple enough, but I'd like to see it
or a variation of it in the release version(s).
-- 
---->InSaNiTyNoW!<---- ! (H)acker ! There is a ! (Cr)acker
roo@zone4.ocunix.on.ca ! (H)onest ! difference ! (Cr)iminal