Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!uunet!mcsun!ukc!strath-cs!baird!jim From: jim@cs.strath.ac.uk (Jim Reid) Newsgroups: comp.sys.hp Subject: Re: Serious security bug with passwd(1) in HP-UX Message-ID: Date: 23 Aug 90 10:29:33 GMT References: <1990Aug22.155715.15365@anduin.cs.liverpool.ac.uk> Sender: jim@cs.strath.ac.uk Organization: Computer Science Dept., Strathclyde Univ., Glasgow, Scotland. Lines: 38 In-reply-to: rkl@anduin.cs.liverpool.ac.uk's message of 22 Aug 90 14:57:14 GMT In article <1990Aug22.155715.15365@anduin.cs.liverpool.ac.uk> rkl@anduin.cs.liverpool.ac.uk writes: Login as root and type "passwd". Press RETURN only at each of the two password prompts and - hey presto ! - root now has a blank password and NO WARNING IS GIVEN (it's bad enough that it allows it in the first place). The /etc/passwd entry for root appears to have a non-null crypted password, but it's actually a null password encypted by crypt ! This is even more dangerous, because programs like pwck won't pick this up. Someone with super-user privileges should not be so stupid that they attempt to give root a null password. [Dearie me, the passwd program has done *exactly* what you told it: how could it know that root did or did not want a null password?] I thought this was important enough to be mentioned net-wide - how many times do you leave your console unattended with root logged in ...? I feel that "passwd" should prompt for the old password in the same way as "yppasswd" does and should disallow blank passwords. Some observations: [1] ANYONE who leaves an unattended root login is asking for trouble. [2] If you're using Yellow Pages (NIS) to distribute password files, you don't have security anyway. yppasswd just adds more security holes to something that's already easily compromised. [3] The reason that passwd does not ask for the old root password is very simple: what if it had been forgotten or root's encrypted password was corrupted somehow? On most machines, you should be able to boot the system to single-user mode without needing to give a password (perhaps only from distribution media) and that would enable you to fix the password file. [Bear in mind that a lot of these new "C2 secure Unix" systems don't allow hand editing of the password file(s), only permitting updates through utilities like passwd.] Jim