Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!caip!rutgers!ll-xn!mit-eddie!genrad!decvax!decwrl!sun!guy
From: guy@sun.UUCP
Newsgroups: net.unix-wizards
Subject: Re: Do not use blank lines in /etc/passwd
Message-ID: <8352@sun.uucp>
Date: Tue, 21-Oct-86 15:03:34 EDT
Article-I.D.: sun.8352
Posted: Tue Oct 21 15:03:34 1986
Date-Received: Wed, 22-Oct-86 05:51:05 EDT
References: <4701@brl-smoke.ARPA> <2837@rsch.WISC.EDU>
Organization: Sun Microsystems, Inc.
Lines: 17

> Umm, could be sort of a security hole in itself:  if anyone can make a
> a match to the "*" you have let them enter the system as root (uid==0).

No, it can't, because they can't.  Remember, the password stored in
"/etc/passwd" is an *encrypted* password, and the password check is done by
encrypting the password the user types (or, more correctly, encrypting a
constant string using the password as key) and comparing it with the
encrypted password from "/etc/passwd".

The System V manual explicitly states that the encrypted password is 13
characters long and will not contain any characters other than ".", "/",
letters, or numbers.  This is also true of other UNIX systems, since they
use the same encryption software.
-- 
	Guy Harris
	{ihnp4, decvax, seismo, decwrl, ...}!sun!guy
	guy@sun.com (or guy@sun.arpa)