Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!wuarchive!uunet!mcsun!hp4nl!ooc.uva.nl!ropg From: ropg@ooc.uva.nl (Rop Gonggrijp) Newsgroups: comp.admin.policy Subject: SUSPEND SYSOPS, NOT STUDENTS Message-ID: <20740@slice.ooc.uva.nl> Date: 13 Jun 91 00:39:22 GMT Organization: Hack-Tic Lines: 74 crissl@rulcvx.LeidenUniv.nl (Stefan Linnemann) writes: >> I didn't know that doing things with an /etc/passwd >> would be considered unauthoprized use. >> the file is readable by the world after all. >> The uga student was not the one who broke in. >Then you're the most naive person I've ever encountered. >Read the following carefully: >in /etc/passwd there are passwords. Encrypted, I admit, but to a >hacker with the general encryption mechanism on his box (any Unix) >and a database of words (any Unix: see spell(1)), and some loose computer >time on his hands, this is no great problem. This means, that the hacker >can find passwords for some or (heaven forbid) all userid's including root, >just by matching encrypted words against the encrypted passwords, >unless ALL the passwords are thoroughly difficult. In practice there's >always a simple password: the hacker can enter the system as someone >he is not, namely a legitimate user. If a password-guesser without a stadium full of supercomputers finds the root password, something is very wrong with system security, and any user on the system could become root. If however the system-operator runs something like COPS every once in a while there is no problem, even if the password-file is put on misc.misc, distribution world. >In the mean time users have to be able to read /etc/passwd in order to >get a home directory, a login shell, etcetera. >/etc/passwd is a security risk, that has not been plugged, yet. >I could have sympathised with them hanging him from the highest >tree ;-) or something like that. Giving /etc/passwd to anyone, >including yourself, is in Unix terms the most heinous crime anyone >can commit, because you (can) compromise the whole system. Yeah, hang the hackers and even the students that just play around, hang all those ugly 12 year olds that just walk through our 'heavy' security. Why not hang kids that ring your bell and then run away (after all, they were trying to get access, and if you had a door buzzer, you would maybe have opened the door for them). >> What if a student runs cops on /etc/passwd... would this >> be considered intent to break into a system and could he thus >> be suspended? >It could be, yes, because cops could be used to find passwords. >However, you could write your own program that would do this. If >anyone would do this and uses or distributes the passwords, and it >would come out (as it usually does) all bets are off: the person in >question will be suspended and/or denied all access to computers. YOU >CAN GO TO JAIL even, nowadays, for such a stunt. Not in democracies. >Hope this has explained some of the finer points concerning the >password file. Do not access it directly: use finger(1), chsh(1) and >the like if you want to know or change things. Users have no business >accessing /etc/passwd directly. And kids, if you want to get a modem, get a license for it first, or the on-line police will come and raid your house for conspiracy to overthrow the government. Do NOT (I repeat NOT) try to learn something from the structure of UNIX, in fact, give up C and program in COBOL only! --- Rop Gonggrijp (ropg@ooc.uva.nl) is also editor of Hack-Tic (hack/phreak mag.) quote: "We don't care about freedom of the mind, | Postbus 22953 (in DUTCH) freedom of signature will do just fine" | 1100 DL AMSTERDAM Any opinions in this posting are wasted on you | tel: +31 20 6001480