Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!cs.utexas.edu!sdd.hp.com!hp-pcd!hpfcso!hpfcdc!rodean
From: rodean@hpfcdc.HP.COM (Bruce Rodean)
Newsgroups: comp.sys.hp
Subject: Re: Serious security bug with passwd(1) in HP-UX
Message-ID: <5570478@hpfcdc.HP.COM>
Date: 23 Aug 90 21:07:52 GMT
References: <1990Aug22.155715.15365@anduin.cs.liverpool.ac.uk>
Organization: Hewlett-Packard Co., Ft. Collins, CO.
Lines: 27

In article <1990Aug22.155715.15365@anduin.cs.liverpool.ac.uk> rkl@anduin.cs.liverpool.ac.uk writes:
> There appears to be what I would consider to be a serious security bug
> with both HP-UX 6.5 (or 3.1) and 7.0 running on HP9000 kit (both series
> 300 and 800):
>
> [Details of passwd giving root user NULL passwd deleted]
>
> I thought this was important enough to be mentioned net-wide - how many
> times do you leave your console unattended with root logged in ...? I feel
> that "passwd" should prompt for the old password in the same way as
> "yppasswd" does and should disallow blank passwords.

The manual entry is very specific on this.  The last sentence on
passwd(1) says:

  A super-user can create a null password by entering a carriage return
  in response to the prompt for a new password.

This is consistent with the System V Interface Definition, third
edition.  No one would expect someone to have root's password be null;
but the capability is allowed.

Bruce Rodean
rodean@hpfcla.HP.COM

This posting does not reflect any official position of Hewlett-Packard
Co.  No guarantees of any kind are implied or stated.