Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!spool.mu.edu!agate!agate!dpassage
From: dpassage@soda.berkeley.edu (David G. Paschich)
Newsgroups: comp.admin.policy
Subject: Re: Student suspended for distributing /etc/passwd
Message-ID: <DPASSAGE.91Jun13012410@soda.berkeley.edu>
Date: 13 Jun 91 09:24:10 GMT
Article-I.D.: soda.DPASSAGE.91Jun13012410
References: <2718@lafcol.UUCP>
Sender: usenet@agate.berkeley.edu (USENET Administrator)
Organization: cc
Lines: 28
In-Reply-To: smeadf@lafcol.UUCP's message of 12 Jun 91 23: 24:35 GMT

In article <2718@lafcol.UUCP> smeadf@lafcol.UUCP (Bill Smead) writes:

   [Stuff about UofGa student distributing passwd file removed.]

   Stefan Linnemann writes:

   > In the mean time users have to be able to read /etc/passwd in order to
   > get a home directory, a login shell, etcetera.
   > 
   > /etc/passwd is a security risk, that has not been plugged, yet.

   Sorry Stefan,  maybe it is not distributed in the Netherlands (see other
   discussions re: crypt), but this HAS been "plugged":

   [description of /etc/shadow in sysV]

The hole has been plugged in the Unix sold by AT&T after a certain
date, not everywhere that it exists in older software, obscure
software, etcetera.

BTW, is AT&T demanding a license fee to use the code which implements
/etc/shadow?  If so, they're certainly not doing everything they can
to promote the security of the Unix community.

--
David G. Paschich	Open Computing Facility		UC Berkeley
dpassage@ocf.berkeley.edu
"But I'd rather be a fish, 'cause a fish is an animal" -- Gener Fox