Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!umcp-cs!chris
From: chris@umcp-cs.UUCP (Chris Torek)
Newsgroups: net.unix-wizards
Subject: Re: Do not use blank lines in /etc/passwd
Message-ID: <4078@umcp-cs.UUCP>
Date: Thu, 30-Oct-86 05:01:44 EST
Article-I.D.: umcp-cs.4078
Posted: Thu Oct 30 05:01:44 1986
Date-Received: Fri, 31-Oct-86 01:45:18 EST
References: <4701@brl-smoke.ARPA> <2837@rsch.WISC.EDU>
Reply-To: chris@umcp-cs.UUCP (Chris Torek)
Organization: University of Maryland, Dept. of Computer Sci.
Lines: 25

>In article <4701@brl-smoke.ARPA> hoey@NRL-AIC.arpa (Dan Hoey) writes:
>>At least in vanilla 4.2, having blank lines anywhere in your password
>>file opens a security hole that I will forbear to discuss on this list.
>>...  If you want to insert blank lines for readability (which is
>>how I discovered the bug) use nearly-blank lines like
>>
>>x:*:0:0:                                                             ::

In article <2837@rsch.WISC.EDU> mcvoy@rsch.WISC.EDU (Lawrence W. McVoy) writes:
>Umm, could be sort of a security hole in itself. . . .

Not as bad as the original blank-line problem.

In fact, if you insert a line of the form

	:*:0:0:::

near the top of the file, this provides an ugly sort-of-workaround to
the original problem.  The *real* problem is that the C library
getpwent() routine is not careful, and that passwd is not careful
about getpwent().
-- 
In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7690)
UUCP:	seismo!umcp-cs!chris
CSNet:	chris@umcp-cs		ARPA:	chris@mimsy.umd.edu