Xref: utzoo comp.unix.programmer:1256 alt.sources.d:1583 Path: utzoo!utgpu!cs.utexas.edu!wuarchive!csus.edu!beach.csulb.edu!nic.csu.net!csun!kithrup!sef From: sef@kithrup.COM (Sean Eric Fagan) Newsgroups: comp.unix.programmer,alt.sources.d Subject: Re: -x implementations Message-ID: <1991Mar08.194702.5369@kithrup.COM> Date: 8 Mar 91 19:47:02 GMT References: <668288533.3106@mindcraft.com> <1991Mar07.091123.13033@kithrup.COM> Organization: Kithrup Enterprises, Ltd. Lines: 27 In article peter@ficc.ferranti.com (Peter da Silva) writes: >Isn't this a security hole? I mean, once you can write to the password file >you have the keys to the kingdom. I hope this goes away when you turn off C2. Eeek. Let me explain this a bit better: a while ago, I wrote up my own implementation of login that set multiple groups. I was running that. However, the *kernel* was still broken: it didn't check multiple groups for access permission (which kinda defeated the entire reason I'd done it: I wanted to be in group uucp so I didn't have to be root to do a 'cu -l tty2A dir'). Now, however, the kernel has been fixed, and a new version of login. I installed all of this, and went on my merry way. However, I'd *completely* forgotten that I'd set myself up to be in almost every group in existance (well, 7 of them, at least). One of those groups was 'auth', which has write access to /etc/passwd. Since the multiple groups now work, I have write access to /etc/passwd. And, no, sorry: under sco's unix, having write access to /etc/passwd will only allow you to lock everyone out by removing or changing values; it won't let you get it. You need to create one or two more files elsewhere in the tree with all the proper magic in them. -- Sean Eric Fagan | "I made the universe, but please don't blame me for it; sef@kithrup.COM | I had a bellyache at the time." -----------------+ -- The Turtle (Stephen King, _It_) Any opinions expressed are my own, and generally unpopular with others.