Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!lehi3b15!lafcol!smeadf
From: smeadf@lafcol.UUCP (Bill Smead)
Newsgroups: comp.admin.policy
Subject: Re: Student suspended for distributing /etc/passwd
Summary: /etc/shadow
Message-ID: <2718@lafcol.UUCP>
Date: 12 Jun 91 23:24:35 GMT
Organization: Academic Computer Center, Lafayette College
Lines: 30

[Stuff about UofGa student distributing passwd file removed.]

Stefan Linnemann writes:
  
> In the mean time users have to be able to read /etc/passwd in order to
> get a home directory, a login shell, etcetera.
> 
> /etc/passwd is a security risk, that has not been plugged, yet.
  
Sorry Stefan,  maybe it is not distributed in the Netherlands (see other
discussions re: crypt), but this HAS been "plugged":

Under Unix System V, there is an "/etc/shadow" feature which masks the
decrypted passwords from nosey users.  In the /etc/passwd file, only
a single x is shown in the second field.  The rest of the /etc/passwd is
straight from the old days (userid, UID, GID, full name, $HOME and login
shell).  The /etc/shadow contains the userid, the encrypted password,
and the password aging, in days.  This feature is turned on with a one-
time command ("pwconv", I believe), which creates /etc/shadow and alters
/etc/passwd.  The defaulr permissions for /etc/shadow restrict access
for all but root.  The concept, and proper use of shadow passwords
take some time to get used to, but after a short while, they become
second nature.

Regards,
  -Bill Smead
   Platform Manager
   AT&T

attmail!fsmead