Path: utzoo!utgpu!watserv1!watmath!att!tut.cis.ohio-state.edu!zaphod.mps.ohio-state.edu!uakari.primate.wisc.edu!bin
From: bin@primate.wisc.edu (Brain in Neutral)
Newsgroups: comp.protocols.appletalk
Subject: Re: aufs security warning/fix
Message-ID: <3065@uakari.primate.wisc.edu>
Date: 10 Sep 90 02:38:26 GMT
References: <9009072101.AA15458@orchestra.ecn.purdue.edu>
Sender: bin@primate.wisc.edu
Reply-To: bin@primate.wisc.edu
Lines: 17

From article <9009072101.AA15458@orchestra.ecn.purdue.edu>, by moyman@ORCHESTRA.ECN.PURDUE.EDU (James M Moya):
> 
> Much to my dismay, if you have any UNIX accounts with nothing in the
> /etc/passwd "password" field, you can "connect" to that account through
> aufs (just use the login of that account in the chooser when "aufs connecting",
> and hit return) voila! full access!! ...This can cause potential (let your 
> imagination run here) damage. 

Why is this an *aufs* problem?  If you have an account with no password,
anyone can login to that account via modem, hardwired terminal, terminal
server, telnet, ftp, etc. and have full access.  That's what "no password"
means - it's a public account, essentially.

Your password file is broken, not aufs.

Paul DuBois
dubois@primate.wisc.edu