*BSD News Article 52183

Return to BSD News archive 

Newsgroups: comp.unix.bsd.bsdi.misc
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!simtel!news.kei.com!news.mathworks.com!tank.news.pipex.net!pipex!howland.reston.ans.net!news.sprintlink.net!mv!news-dnh.mv.net!pod.mv.com!not-for-mail
From: dwm@pod.mv.com (David W. Mitchell)
Subject: Re: Horrifying Security Hole Maker-BSDI feature or bug?
Keywords: adduser bug not in 2.0.1
Message-ID: <44udnd$et2@pod.mv.com>
Nntp-Posting-Host: pod.mv.com
Sender: usenet@jade.mv.net (System Administrator)
Organization: Orca Systems, Inc.
Date: Wed, 4 Oct 1995 16:45:33 GMT
References: <richard-0310951551150001@island.interverse.com>
Lines: 35

In article <richard-0310951551150001@island.interverse.com>,
Richard Gilligan <richard@interverse.com> wrote:
>
>The nightmare begins when I discover that all the passwords have been
>deleted from /etc/master.passwd.  The effect is that anyone can login
>simply by typing a user name at the login prompt-the password prompt is
>skipped and they are greated with a quote and a shell prompt.
>
>When I use the "adduser" command, I can reliably make passwords disappear
>by attempting to put the new user in a group that does not yet exist. 

    Hello - 
    I just tried to add a user to a non-existent group.
    The passwd and master.passwd files ended up with no problem
    at all, and the adduser program (which I'd never used before) never
    prompted me to create the non-existent group.  In short, everything
    seemed to work fine, though I'd think flagging the non-existent
    group might make sense.  The only visible change other than the
    new user was that the nobody and nonroot entries got shuffled to
    the end (sorted by uid, apparently).

    I'm running BSD/OS 2.0.1, meaning that I started with 2.0, have a
    support license, and have applied all of the 2.0.1 patches.  I don't
    remember offhand whether one of those patches fixed this problem,
    and you don't say in your post which version you're running.
    I'd check the BSDI patch server, as a first step: start by
    sending mail with "send index" in the message body to patches@bsdi.com
    ("help" in the message body will get you instructions) and go 
    from there.

    Good luck,
    dave
-- 
  Dave Mitchell		dwm@pod.orca.com		  603-740-9877
  Orca Systems, Inc.  12 Lincoln Street #1, Dover, NH USA   03820-2962