Do not use blank lines in /etc/passwd
Tim Northrup
tim at brspyr1.UUCP
Fri Oct 24 10:33:47 AEST 1986
In article <2837 at rsrch.WISC.EDU> mcvoy at rsch.wisc.edu (Larry McVoy) writes:
> In article <4701 at brl-smoke.ARPA> hoey at NRL-AIC.arpa (Dan Hoey) writes:
> >At least in vanilla 4.2, having blank lines anywhere in your password
> >file opens a security hole that I will forbear to discuss on this list.
> >I have not verified this on other systems, but I advise you to stick to
> >the standard format. If you want to insert blank lines for readability
> >(which is how I discovered the bug) use nearly-blank lines like
> >
> >x:*:0:0: ::
>
> Umm, could be sort of a security hole in itself: if anyone can make a
> a match to the "*" you have let them enter the system as root (uid==0).
> I realize that "*" and "**" etc are commonly used and probably pose
> no risk on most [all?] versions of Unix, but why tempt fate? Make the
> uid & gid be something harmless and be sure.
I was under the impression that the /etc/passwd table used crpyt(3) style
passwords, and that the password generated was ALWAYS 13 characters long.
If this is still the case, it is IMPOSSIBLE to generate a password that
matches '*'. (We use it for all of our secure ID's).
--
Tim Northrup (518) 783-1161
BRS Information Technologies ...!ihnp4!dartvax!brspyr1!tim
1200 Route 7 ...!seismo!rpics!brspyr1!tim
Latham, NY 12110 tim at brspyr1.UUCP
======== INSERT STANDARD DISCLAIMER FORM 43Z892-BXY/86.3 HERE =============
"It's good to be the king!"
More information about the Comp.unix.wizards
mailing list