Path: utzoo!attcan!uunet!auspex!guy
From: guy@auspex.UUCP (Guy Harris)
Newsgroups: comp.unix.wizards
Subject: Re: Implications of recent virus (Trojan Horse) attack
Keywords: virus security
Message-ID: <439@auspex.UUCP>
Date: 11 Nov 88 22:43:55 GMT
References: <1698@cadre.dsl.PITTSBURGH.EDU> <2151@ficc.uu.net> <8845@smoke.BRL.MIL> <14465@mimsy.UUCP> <8858@smoke.BRL.MIL>
Reply-To: guy@auspex.UUCP (Guy Harris)
Distribution: na
Organization: Auspex Systems, Santa Clara
Lines: 15

>If this hole exists, it can be traced to getpwent() not being careful
>enough when it parses /etc/passwd records.  See UNIX System V for the
>simplest fix.

If that fix is "have 'getpwent()' return NULL if the entry it looks at
is syntactically incorrect," the fix is simple but rather rude; the net
result is that any program scanning the password file linearly - e.g.,
"passwd" - will think it's at the end of the file if it sees such a
syntactically incorrect line.  Having "passwd" cut off the password file
as soon as it sees a blank line isn't very nice; ignoring the
syntactically-invalid lines, or passing them through unchanged, is
probably a better idea.  The former could be done by having "getpwent"
skip over those entries, rather than return NULL on them; the latter
requires that "passwd" not just naively use "(f)getpwent" and "putpwent"
to update the password file.