Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!sdd.hp.com!wuarchive!uunet!mcsun!hp4nl!rulway.LeidenUniv.nl!rulcvx.LeidenUniv.nl!crissl From: crissl@rulcvx.LeidenUniv.nl (Stefan Linnemann) Newsgroups: comp.admin.policy Subject: Re: SUSPEND SYSOPS, NOT STUDENTS Message-ID: <1991Jun13.114433.22530@rulway.LeidenUniv.nl> Date: 13 Jun 91 11:44:33 GMT References: <20740@slice.ooc.uva.nl> Sender: root@rulway.LeidenUniv.nl (System PRIVILEGED Account) Organization: Leiden University, the Netherlands. Lines: 104 Nntp-Posting-Host: rulcvx.leidenuniv.nl In article <20740@slice.ooc.uva.nl> ropg@ooc.uva.nl (Rop Gonggrijp) writes: >crissl@rulcvx.LeidenUniv.nl (Stefan Linnemann) writes: >>time on his hands, this is no great problem. This means, that the hacker >>can find passwords for some or (heaven forbid) all userid's including root, >>just by matching encrypted words against the encrypted passwords, >>unless ALL the passwords are thoroughly difficult. In practice there's >>always a simple password: the hacker can enter the system as someone >>he is not, namely a legitimate user. >If a password-guesser without a stadium full of supercomputers finds the root >password, something is very wrong with system security, and any user on the >system could become root. If however the system-operator runs something like >COPS every once in a while there is no problem, even if the password-file is >put on misc.misc, distribution world. I fully agree with you here and I run COPS regularly. Nevertheless, putting a password file on the net compromises your system security, because user accounts become open to attack. 1: all valid user names are known to the readers of misc.misc and 2: on BSD their encrypted passwords are known, too. This makes it relatively easy to find a user and password. Remember: several strings can encrypt to the same result! >>In the mean time users have to be able to read /etc/passwd in order to >>get a home directory, a login shell, etcetera. >>/etc/passwd is a security risk, that has not been plugged, yet. I should have added: "on BSD systems.", as someone in another article observed. >>I could have sympathised with them hanging him from the highest >>tree ;-) or something like that. Giving /etc/passwd to anyone, >>including yourself, is in Unix terms the most heinous crime anyone >>can commit, because you (can) compromise the whole system. >Yeah, hang the hackers and even the students that just play around, hang all >those ugly 12 year olds that just walk through our 'heavy' security. Why not >hang kids that ring your bell and then run away (after all, they were trying >to get access, and if you had a door buzzer, you would maybe have opened the >door for them). Has nobody explained the use of smiley's to you? >>> What if a student runs cops on /etc/passwd... would this >>> be considered intent to break into a system and could he thus >>> be suspended? >>It could be, yes, because cops could be used to find passwords. >>However, you could write your own program that would do this. If >>anyone would do this and uses or distributes the passwords, and it >>would come out (as it usually does) all bets are off: the person in >>question will be suspended and/or denied all access to computers. YOU >>CAN GO TO JAIL even, nowadays, for such a stunt. >Not in democracies. I'm no lawyer, so this is the last I'm going to say about this: using or distributing passwords you've cracked can be prosecuted in a court of law, nowadays, and you can be punished for it (if the case holds, of course). Whether actual jail term can be the result, I don't know, so I guess I shouldn't have specified that. >>Hope this has explained some of the finer points concerning the >>password file. Do not access it directly: use finger(1), chsh(1) and >>the like if you want to know or change things. Users have no business >>accessing /etc/passwd directly. >And kids, if you want to get a modem, get a license for it first, or the >on-line police will come and raid your house for conspiracy to overthrow >the government. Do NOT (I repeat NOT) try to learn something from the >structure of UNIX, in fact, give up C and program in COBOL only! Come off it! We're talking about the password file here. If a user executes a 'priviliged' program and mucks up the system, THEN I can believe 'no harm intended', because it's not so clear what is priviliged and what not. But that was not what we were talking about. So get off of your high horse and dance to the tune I was singing here, or sing your own without reference to me. I will repeat: users have no business accessing /etcc/passwd directly. However, they can, and they have to have read access. So long as they don't abuse it, fine. As soon as they start cracking passwords: warn them about the consequences. As soon as they start using the passwords they found: warn them severely that the next time their account will be pulled. As soon as they distribute any password: pull their account and THEN talk, if applicable. At least that's how I see it. Users are smart enough to know that passwords are not to be played with. >--- >Rop Gonggrijp (ropg@ooc.uva.nl) is also editor of Hack-Tic (hack/phreak mag.) >quote: "We don't care about freedom of the mind, | Postbus 22953 (in DUTCH) > freedom of signature will do just fine" | 1100 DL AMSTERDAM >Any opinions in this posting are wasted on you | tel: +31 20 6001480 Till we meet again, Stefan. Stefan M. Linnemann | The cutest .sig System programmer | is not so big. Leiden University, the Netherlands. | Email: crissl@rulcvx.LeidenUniv.nl | SMiLe 1991