Do not use blank lines in /etc/passwd
Lawrence W. McVoy
mcvoy at rsch.WISC.EDU
Tue Oct 21 07:09:13 AEST 1986
In article <4701 at brl-smoke.ARPA> hoey at NRL-AIC.arpa (Dan Hoey) writes:
>At least in vanilla 4.2, having blank lines anywhere in your password
>file opens a security hole that I will forbear to discuss on this list.
>I have not verified this on other systems, but I advise you to stick to
>the standard format. If you want to insert blank lines for readability
>(which is how I discovered the bug) use nearly-blank lines like
>
>x:*:0:0: ::
Umm, could be sort of a security hole in itself: if anyone can make a
a match to the "*" you have let them enter the system as root (uid==0).
I realize that "*" and "**" etc are commonly used and probably pose
no risk on most [all?] versions of Unix, but why tempt fate? Make the
uid & gid be something harmless and be sure.
--
Larry McVoy mcvoy at rsch.wisc.edu,
{seismo, topaz, harvard, ihnp4, etc}!uwvax!mcvoy
"They're coming soon! Quad-stated guru-gates!"
More information about the Comp.unix.wizards
mailing list