Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!simtel!news.kei.com!news.mathworks.com!news.ultranet.com!news.sprintlink.net!newsboy.utelfla.com!news.phoenixat.com!usenet From: warreng@phoenixat.com (WarrenG) Newsgroups: comp.unix.bsd.bsdi.misc Subject: Re: Horrifying Security Hole Maker-BSDI feature or bug? Date: 4 Oct 1995 18:54:54 GMT Organization: Phoenix Applied Technology, inc. Lines: 14 Message-ID: <44ul9u$2jd@porthos.phoenixat.com> References: <richard-0310951551150001@island.interverse.com> NNTP-Posting-Host: ppph1.phoenixat.com X-Newsreader: WinVN 0.92.6+ In article <richard-0310951551150001@island.interverse.com>, richard@interverse.com (Richard Gilligan) says: >When I use the "adduser" command, I can reliably make passwords disappear >by attempting to put the new user in a group that does not yet exist. >"adduser" >tells me that the group does not exist and asks if I want it created, I do >[yes], and we proceed with adding the new user. Everything appears >normal. >(Except login is easier and everyone can do their own sysadmin chores). It is indeed a BSDI bug. It happened to me too, and after an exhaustive search and calls to BSDI, they said that just what you described will do it. Their solution??? Don't add a user to a group that doesn't yet exist... Thanks guys, that helps you, not us. Anyway, I thought it was a hacker at first too. Just thought you'd like to know. Scott Clark