Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!wuarchive!uunet!mcsun!hp4nl!rulway.LeidenUniv.nl!rulcvx.LeidenUniv.nl!crissl From: crissl@rulcvx.LeidenUniv.nl (Stefan Linnemann) Newsgroups: comp.admin.policy Subject: Re: Student suspended for distributing /etc/passwd Message-ID: <1991Jun12.112633.14888@rulway.LeidenUniv.nl> Date: 12 Jun 91 11:26:33 GMT References: <31124@hydra.gatech.EDU> Sender: root@rulway.LeidenUniv.nl (System PRIVILEGED Account) Organization: Leiden University, the Netherlands. Lines: 79 Nntp-Posting-Host: rulcvx.leidenuniv.nl In article <31124@hydra.gatech.EDU> ccastmg@prism.gatech.EDU (Michael G. Goldsman) writes: > I just read this on ga.general... > ---------------------------------------------------------------- [ deleted for brevity ] > What this student did was mail a copy of /etc/passwd from athena.cs.uga.edu > to a "hacker" who had already penetrated another system, and who wanted > to use a password-guessing program to break into athena. The student was > fully aware that he was assisting in a break-in. [ deleted for brevity ] > I didn't know that doing things with an /etc/passwd > would be considered unauthoprized use. > the file is readable by the world after all. > The uga student was not the one who broke in. Then you're the most naive person I've ever encountered. Read the following carefully: in /etc/passwd there are passwords. Encrypted, I admit, but to a hacker with the general encryption mechanism on his box (any Unix) and a database of words (any Unix: see spell(1)), and some loose computer time on his hands, this is no great problem. This means, that the hacker can find passwords for some or (heaven forbid) all userid's including root, just by matching encrypted words against the encrypted passwords, unless ALL the passwords are thoroughly difficult. In practice there's always a simple password: the hacker can enter the system as someone he is not, namely a legitimate user. In the mean time users have to be able to read /etc/passwd in order to get a home directory, a login shell, etcetera. /etc/passwd is a security risk, that has not been plugged, yet. > I have some serious problems with UGA supending him. > I am a little too "exam-week-weary" to articulate my feelings well, > but I thought that you guys should know about this. I could have sympathised with them hanging him from the highest tree ;-) or something like that. Giving /etc/passwd to anyone, including yourself, is in Unix terms the most heinous crime anyone can commit, because you (can) compromise the whole system. > What if a student runs cops on /etc/passwd... would this > be considered intent to break into a system and could he thus > be suspended? It could be, yes, because cops could be used to find passwords. However, you could write your own program that would do this. If anyone would do this and uses or distributes the passwords, and it would come out (as it usually does) all bets are off: the person in question will be suspended and/or denied all access to computers. YOU CAN GO TO JAIL even, nowadays, for such a stunt. > Well, you guys can mull it over today, I need some sleep. > -Mike Goldsman Hope this has explained some of the finer points concerning the password file. Do not access it directly: use finger(1), chsh(1) and the like if you want to know or change things. Users have no business accessing /etc/passwd directly. > -- > ------------------------------------------------------------------------ > Mike Goldsman > 36004 Georgia Tech Station > Atlanta Georgia, 30332, 404-872-5146 Greetings, Stefan. Stefan M. Linnemann | The cutest .sig System programmer | is not so big. Leiden University, the Netherlands. | Email: crissl@rulcvx.LeidenUniv.nl | SMiLe 1991