Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!pacbell.com!ucsd!ucbvax!bloom-beacon!eru!hagbard!sunic!lth.se!newsuser From: magnus%thep.lu.se@Urd.lth.se (Magnus Olsson) Newsgroups: comp.unix.wizards Subject: Re: WARNING! Message-ID: <1991Apr11.122112.1122@lth.se> Date: 11 Apr 91 12:21:12 GMT References: <26520@adm.brl.mil> Sender: newsuser@lth.se (LTH network news server) Reply-To: magnus@thep.lu.se (Magnus Olsson) Organization: Theoretical Physics, Lund university, Sweden Lines: 32 In article meissner@osf.org (Michael Meissner) writes: >In article <26520@adm.brl.mil> anamaria@saffron.wpd.sgi.com (Ana Maria >De Alvare') writes: > >| I want to make it clear that a person can has access to someone machine's >| password file throught the internet without having any accounts directly >| related to that person. For example, throught the ftp anonymous service, >| I can copy a password file over. >Ummm, unless you wrote your own ftpd, the standard BSD one explicitly >chroot's anonymous FTP requests to the logon directory of the user >'ftp'. In every system manual, where I've seen how to set up >anonymous FTP, it mentions this, and tells the system manager never to >make the logon directory be '/'. Of course, you still need an /etc/passwd file (relative to FTP's "new" root), but fortunately, the password information isn't needed. Here's what you get if you onnect with anonymous ftp to our machines and do a "get /etc/passwd": root:*:0:1:System PRIVILEGED Account:/:/usr/new/csh ftp:*:295:15:Anonymous ftp:/usr/users/ftp:/usr/new/csh All the ordinary users have been edited out, and there's no password information left. All the presumptive cracker gets to know is that there are accounts called root and ftp, and he probably knew that already... Magnus Olsson | \e+ /_ Dept. of Theoretical Physics | \ Z / q University of Lund, Sweden | >----< Internet: magnus@thep.lu.se | / \===== g Bitnet: THEPMO@SELDC52 | /e- \q