Do not use blank lines in /etc/passwd
Eric Black
eric at cti.UUCP
Sat Oct 25 10:36:21 AEST 1986
In article <8352 at sun.uucp> guy at sun.uucp (Guy Harris) writes:
>[somebody wrote, I could go back and find who, but I'm lazy]:
>> Umm, could be sort of a security hole in itself: if anyone can make a
>> a match to the "*" you have let them enter the system as root (uid==0).
>
>No, it can't, because they can't.
Lots of similar mail messages and articles to come, no doubt.
I always thought it was obvious, but enough people have expressed "ah-ha!"-
type wonder at this that maybe it bears repeating, and now's a good time.
There is always an amount of turnover at universities and companies, and
user accounts need to be zapped and/or de-activated. Many times, however,
the *files* owned by those folks, in those directories, want to remain;
there are also occasions where it is desirable to temporarily prevent
a user or account from logging in. A superuser (or adequately privileged user)
can zap the user's password, either with the passwd command or by
editing the /etc/passwd file, but since there is "no" way to determine
a user's password from the encrypted form in /etc/passwd, it's hard to
set it back.
A convenient method is to edit the passwd file and insert some character
at the beginning of the password string. I like to use '%', because it is
one of the characters that is never generated in an encryption string and
is easy to find and edit out later. A password can NEVER be entered which
matches the user's (new) password, preventing logins (and su's other than
by root), yet it is easy to give that person his/her password back.
A trivial point, to be sure, but I thought it was obvious and it apparently
isn't.
--
Eric Black "Garbage In, Gospel Out"
UUCP: {sun,pyramid,hplabs,amdcad}!cti!eric
More information about the Comp.unix.wizards
mailing list