Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!rutgers!lll-crg!seismo!rpics!brspyr1!tim
From: tim@brspyr1.UUCP (Tim Northrup)
Newsgroups: net.unix-wizards
Subject: Re: Do not use blank lines in /etc/passwd
Message-ID: <96@brspyr1.UUCP>
Date: Thu, 23-Oct-86 19:33:47 EST
Article-I.D.: brspyr1.96
Posted: Thu Oct 23 19:33:47 1986
Date-Received: Sun, 26-Oct-86 01:50:20 EST
References: <4701@brl-smoke.ARPA> <2837@rsch.WISC.EDU>
Organization: BRS Information Technologies, Latham NY
Lines: 31

In article <2837@rsrch.WISC.EDU> mcvoy@rsch.wisc.edu (Larry McVoy) writes:
> In article <4701@brl-smoke.ARPA> hoey@NRL-AIC.arpa (Dan Hoey) writes:
> >At least in vanilla 4.2, having blank lines anywhere in your password
> >file opens a security hole that I will forbear to discuss on this list.
> >I have not verified this on other systems, but I advise you to stick to
> >the standard format.  If you want to insert blank lines for readability
> >(which is how I discovered the bug) use nearly-blank lines like
> >
> >x:*:0:0:                                                             ::
> 
> Umm, could be sort of a security hole in itself:  if anyone can make a
> a match to the "*" you have let them enter the system as root (uid==0).
> I realize that "*" and "**" etc are commonly used and probably pose 
> no risk on most [all?] versions of Unix, but why tempt fate?  Make the 
> uid & gid be something harmless and be sure.

I was under the impression that the /etc/passwd table used crpyt(3) style
passwords, and that the password generated was ALWAYS 13 characters long.
If this is still the case, it is IMPOSSIBLE to generate a password that
matches '*'.  (We use it for all of our secure ID's).
-- 

 Tim Northrup		(518) 783-1161

 BRS Information Technologies			...!ihnp4!dartvax!brspyr1!tim
 1200 Route 7					...!seismo!rpics!brspyr1!tim
 Latham, NY  12110				tim@brspyr1.UUCP

======== INSERT STANDARD DISCLAIMER FORM 43Z892-BXY/86.3 HERE =============

"It's good to be the king!"