Xref: utzoo comp.unix.internals:2368 comp.unix.admin:1291
Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!xavax!jat
From: jat@xavax.com (John Tamplin)
Newsgroups: comp.unix.internals,comp.unix.admin
Subject: Re: Unix security additions
Message-ID: <1991Mar18.030955.13123@xavax.com>
Date: 18 Mar 91 03:09:55 GMT
Organization: Xavax
Lines: 27

In article <19099@rpp386.cactus.org> jfh@rpp386.cactus.org (John F Haugh II) writes:
>>o  Getting the passwords where they can't be publically read
>
>This was done for AIX v2, but has also been done with SVR3.2 and
>BSD.  No one has solved certain problems with transparency - that
>is, making shadowed passwords look and feel like old-style
>publically readable passwords.  This means all the programs that
>used to think pw_passwd was valid are wrong ;-(.  Making matters
>worse, AT&T, BSD, and IBM all fail to converge on a single
>mechanism (and AT&T fails to agree on a single file format for
>there various releases).  So you have a non-standard,
>non-transparent feature ...

I am using a SVR3.2.2 system with shadowed passwords, and the interface
provided is getspent() etc.  After hacking one too many programs to use the
new library calls to get the password, I decided the best way to solve the
problem was to have getpwent() look up pw_passwd in the shadow file iff
euid=root.  This way, programs that are supposed to have access have it in
the same old fashion, and programs that don't get some nonsense password
(either ! or x in the implementations I have seen).

Maybe one of these days I will get around to actually writing this.

-- 
John Tamplin						Xavax
jat@xavax.COM						2104 West Ferry Way
...!uunet!xavax!jat					Huntsville, AL 35801