Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!rutgers!sri-spam!mordor!lll-crg!lll-lcc!pyramid!cti!eric
From: eric@cti.UUCP (Eric Black)
Newsgroups: net.unix-wizards
Subject: Re: Do not use blank lines in /etc/passwd
Message-ID: <372@cti.cti.UUCP>
Date: Fri, 24-Oct-86 20:36:21 EDT
Article-I.D.: cti.372
Posted: Fri Oct 24 20:36:21 1986
Date-Received: Sun, 26-Oct-86 01:45:47 EDT
References: <4701@brl-smoke.ARPA> <2837@rsch.WISC.EDU> <8352@sun.uucp>
Reply-To: eric@cti.UUCP (Eric Black)
Organization: Cornerstone Technology, Inc.
Lines: 34

In article <8352@sun.uucp> guy@sun.uucp (Guy Harris) writes:
>[somebody wrote, I could go back and find who, but I'm lazy]:
>> Umm, could be sort of a security hole in itself:  if anyone can make a
>> a match to the "*" you have let them enter the system as root (uid==0).
>
>No, it can't, because they can't.

Lots of similar mail messages and articles to come, no doubt.

I always thought it was obvious, but enough people have expressed "ah-ha!"-
type wonder at this that maybe it bears repeating, and now's a good time.
There is always an amount of turnover at universities and companies, and
user accounts need to be zapped and/or de-activated.  Many times, however,
the *files* owned by those folks, in those directories, want to remain;
there are also occasions where it is desirable to temporarily prevent
a user or account from logging in.  A superuser (or adequately privileged user)
can zap the user's password, either with the passwd command or by
editing the /etc/passwd file, but since there is "no" way to determine
a user's password from the encrypted form in /etc/passwd, it's hard to
set it back.

A convenient method is to edit the passwd file and insert some character
at the beginning of the password string.  I like to use '%', because it is
one of the characters that is never generated in an encryption string and
is easy to find and edit out later.  A password can NEVER be entered which
matches the user's (new) password, preventing logins (and su's other than
by root), yet it is easy to give that person his/her password back.

A trivial point, to be sure, but I thought it was obvious and it apparently
isn't.

-- 
Eric Black   "Garbage In, Gospel Out"
UUCP:        {sun,pyramid,hplabs,amdcad}!cti!eric