Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!sdd.hp.com!spool.mu.edu!agate!agate!dpassage From: dpassage@soda.berkeley.edu (David G. Paschich) Newsgroups: comp.admin.policy Subject: Re: Student suspended for distributing /etc/passwd Message-ID: Date: 14 Jun 91 21:22:38 GMT References: Sender: usenet@agate.berkeley.edu (USENET Administrator) Organization: /accounts/dpassage/.organization Lines: 28 In-Reply-To: pcg@aber.ac.uk's message of 14 Jun 91 17: 24:40 GMT In article pcg@aber.ac.uk (Piercarlo Grandi) writes: crissl> Read the following carefully: crissl> [ ... /etc/passwd can be searched for obvious password ... ] crissl> /etc/passwd is a security risk, that has not been plugged, yet. This is only true for system administrators that are not that careful about security. There are at least two freely available /etc/shadow implementations. Kerberos is freely available too. If your /etc/passwd does contain the encryptions of actual password, you have *chosen* to do so, or you are very much behind the times, and you should not be a sysadmin. Unless you're running a very strange proprietary OS, like Apollo's Domain/OS, which makes it impossible to replace the standard login, passwd, etc. programs because they use an unpublished, proprietary format. Please don't make blanket statements that having passwords in /etc/passwd is always the administrator's fault. I would very much like to run shadow password software on the system I run, but my group's lack of funds to buy a better machine with a better OS prevents me from doing so. -- David G. Paschich Open Computing Facility UC Berkeley dpassage@ocf.berkeley.edu "But I'd rather be a fish, 'cause a fish is an animal" -- Gener Fox