Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!caip!rutgers!uwvax!mcvoy
From: mcvoy@rsch.WISC.EDU (Lawrence W. McVoy)
Newsgroups: net.unix-wizards
Subject: Re: Do not use blank lines in /etc/passwd
Message-ID: <2837@rsch.WISC.EDU>
Date: Mon, 20-Oct-86 17:09:13 EDT
Article-I.D.: rsch.2837
Posted: Mon Oct 20 17:09:13 1986
Date-Received: Tue, 21-Oct-86 23:45:37 EDT
References: <4701@brl-smoke.ARPA>
Reply-To: mcvoy@rsch.WISC.EDU (Lawrence W. McVoy)
Organization: U of Wisconsin CS Dept
Lines: 19

In article <4701@brl-smoke.ARPA> hoey@NRL-AIC.arpa (Dan Hoey) writes:
>At least in vanilla 4.2, having blank lines anywhere in your password
>file opens a security hole that I will forbear to discuss on this list.
>I have not verified this on other systems, but I advise you to stick to
>the standard format.  If you want to insert blank lines for readability
>(which is how I discovered the bug) use nearly-blank lines like
>
>x:*:0:0:                                                             ::

Umm, could be sort of a security hole in itself:  if anyone can make a
a match to the "*" you have let them enter the system as root (uid==0).
I realize that "*" and "**" etc are commonly used and probably pose 
no risk on most [all?] versions of Unix, but why tempt fate?  Make the 
uid & gid be something harmless and be sure.
-- 
Larry McVoy 	  mcvoy@rsch.wisc.edu, 
      		  {seismo, topaz, harvard, ihnp4, etc}!uwvax!mcvoy

"They're coming soon!  Quad-stated guru-gates!"