Path: utzoo!attcan!uunet!samsung!zaphod.mps.ohio-state.edu!swrinde!ucsd!ucbvax!hplabs!hpfcso!hpfcdc!rbw From: rbw@hpfcdc.HP.COM (Rick Whitner) Newsgroups: comp.sys.hp Subject: Re: SAM sucks (was Re: ARPA Services Problems on 7.0) Message-ID: <5570438@hpfcdc.HP.COM> Date: 27 Jun 90 15:19:28 GMT References: <9722@pt.cs.cmu.edu> Organization: HP Ft. Collins, Co. Lines: 64 In response to: > >Brian Bartholomew UUCP: ...gatech!uflorida!beach.cis.ufl.edu!bb >University of Florida Internet: bb@beach.cis.ufl.edu > > o HP-UX v7.0, as distributed under the "Instant Ignition" option > (don't get me started about that!), comes with null passwords > for each entry in /etc/group. This allows any user to use > the "newgrp" command, and have the group privledges of root, bin, > or anyone else. I promptly put stars in each password field, > to patch this hole. Later, I used SAM to add a new user account. > It decided to remove the stars from the group entries, without ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ I have attempted (unsuccessfully) to replicate the problem you describe here. I placed stars in each password field in /etc/group and then added a new user using SAM. I tried other variations of this same operation and still could not replicate the problem. Perhaps if you could provide more information on the situation/circumstances/configuration/etc., the source of your problem could be identified. > telling me, even though my addition did not require any changes ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > to the group file! This was the last straw, and we took off the ^^^^^^^^^^^^^^^^^^ > executable permission bit from SAM, just to prevent accidents. When a new user is added to the system, /etc/group is modified to add that user to his primary group. SAM uses the functions documented under getgrent(3C) in the HP-UX Reference to interact with the /etc/group file. In response to: >> tom lane >>Internet: tgl@cs.cmu.edu >>UUCP: !cs.cmu.edu!tgl >>BITNET: tgl%cs.cmu.edu@cmuccvma >>CompuServe: >internet:tgl@cs.cmu.edu >> >>I too have lost all confidence in SAM. My last straw was when I used SAM >>to add a new user, and it silently made gratuitous changes in other entries >>in /etc/passwd. I've forgotten the details, but I'm pretty sure that those ^^^^^^^^^^^^^^^^^^^^^^^^^^ >>changes created security holes. SAM uses the library calls getpwent(3C) (et al.) in a rather straightforward manner when modifying /etc/passwd. It is difficult (though not impossible) to see how arbitrary changes might be made to a properly formatted /etc/passwd file. If you can recall the details, that would be very helpful in determining what might be going on. >>If anybody at HP is listening, I suggest you either trash SAM or rewrite ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >>it from the ground up. The first time somebody with a supposedly secure >>system gets bitten by something SAM did, you are looking at major trouble. We are listening and are receptive to your comments and concerns. That's why I solicit specifics and details, so that we can better address your needs. Rick Whitner rbw@hpfcla.hp.com hplabs!hpfcla!rbw Disclaimer - this posting represents my personal opinions only.