Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!tut.cis.ohio-state.edu!snorkelwacker!bloom-beacon!jik
From: jik@athena.mit.edu (Jonathan I. Kamens)
Newsgroups: comp.unix.questions
Subject: Re: How secure is UNIX?
Message-ID: <1990Jun10.083006.17475@athena.mit.edu>
Date: 10 Jun 90 08:30:06 GMT
References: <1990May23.100928.10699@agate.berkeley.edu> <720016@hpclapd.HP.COM>
Sender: news@athena.mit.edu (News system)
Organization: Massachusetts Institute of Technology
Lines: 44

In article <720016@hpclapd.HP.COM> defaria@hpclapd.HP.COM (Andy
DeFaria) writes:
>I  thought I explained  this.  IMHO  /etc/passwd should  NOT   be  publicly
>readable.   If this were  true then you   couldn't ftp as  root because you
>wouldn't even know the encrypted password, which, IMHO, you  shouldn't have
>access to.

  Oh, jolly good.  So now you're proposing to take all the passwords
(or, at least, encrypted passwords) and put them in an /etc/shadow
file, but other than the fact that the file isn't world-readable, the
rest of the scenario I described is correct, right?

  In that case, you're basing the entire security of your system on
the readability or non-readability of one file.  Do you know how many
ways there are in Unix to read a file you're not supposed to be able
to read?  Or to read portions of that file?

  The elegance of the standard Unix security mechanism is that, given
well-chosen and moderately-frequently-changed passwords, it doesn't
*matter* whether or not someone can read the /etc/passwd file, because
doing so *does not enable them to break the security of your system*,
at least not in the short term.

  Under the system you propose, you've completely eliminated that
elegance.  Indeed, if the password file isn't world-readable, then why
not just store the plaintext password in it, and not the encrypted
password?  After all, according to what you're saying, all you need to
do to verify that someone is who they say they are is to compare the
string they give you to the string in a file that isn't
world-readable, so why bother with the encryption?

  One more note -- this wole discussion started when someone suggested
that people be allowed to store their encrypted passwords in the
.netrc file, rather than their plaintext passwords, to prevent people
who managed to read their .netrc file from using it to gain access to
other systems.  Your proposal doesn't fix that problem, because, as
I've already said, if the encrypted password is what is used for the
authentication, then if I can read your .netrc, I can still use its
contents to break into your other accounts.

Jonathan Kamens			              USnail:
MIT Project Athena				11 Ashford Terrace
jik@Athena.MIT.EDU				Allston, MA  02134
Office: 617-253-8495			      Home: 617-782-0710