*BSD News Article 26293


Return to BSD News archive

Path: sserve!newshost.anu.edu.au!munnari.oz.au!constellation!news.uoknor.edu!ns1.nodak.edu!netnews.nwnet.net!news.uoregon.edu!gaia.ucs.orst.edu!umn.edu!mr.net!msc.edu!sgiblab!uhog.mit.edu!europa.eng.gtefsd.com!howland.reston.ans.net!usenet.ins.cwru.edu!usenet.mcs.kent.edu!not-for-mail
From: greg@dell.kent.edu  (Greg Spiegelberg)
Newsgroups: comp.os.386bsd.questions
Subject: Re: secure dist/passwd
Date: 20 Jan 1994 22:18:46 -0500
Organization: NetBSD v0.8 UNIX @ Kent State University
Lines: 29
Message-ID: <2hnhj4INN60b@dell.kent.edu>
References: <QhC4g6O00VBNEFf0gK@andrew.cmu.edu> <2hg3qb$nut@sylvester.cc.utexas.edu>
NNTP-Posting-Host: dell.kent.edu

In article <2hg3qb$nut@sylvester.cc.utexas.edu>,
Vax <vax@sylvester.cc.utexas.edu> wrote:
>In article <QhC4g6O00VBNEFf0gK@andrew.cmu.edu>,
>Timothy J Kniveton  <tim+@CMU.EDU> wrote:
>>no users except myself and root (i think people in the root group) can
>>run passwd.  since the permissions of passwd allow read + execute for
>>anyone,
>
>Um, I don't mean to sound simplistic, but have you checked that it's
>SUID root?  You must, of course, be root to modify the password files.
>passwd, of course, should be rw-r--r-- and master.passwd rw-------
>Not sure about the write perms, you may not need them; doesn't hurt tho.
>/usr/bin/passwd should be r-sr-xr-x root bin
>
>Disclaimer: I'm not trying to sound pedantic; just ruling out the simple fix.

Sounded right to me.  I just brought up a NetBSD v0.9 system here and unless
the user's account is in the wheel/root groups it doesn't work.  Those accounts
are able to execute other programs with same priv's and suid root.

Any other suggestions?

-----
Greg Spiegelberg         | College of Business, Kent State University
 greg@dell.kent.edu      |  Novell Network Administrator
 gspiegel@bsa1.kent.edu  |  NetBSD UNIX System Administrator
 gspiegel@mcs.kent.edu   |  General All-Around Good Guy ;)

#include<std.disclaimer.h>