Path: utzoo!utgpu!watmath!clyde!att!chinet!ptownson From: ptownson@chinet.chi.il.us (Patrick Townson) Newsgroups: comp.unix.wizards Subject: Protecting Password Files Message-ID: <7274@chinet.chi.il.us> Date: 25 Dec 88 08:44:38 GMT Organization: Chinet - Chicago Public Access UNIX Lines: 66 I got to thinking about the security of /etc/passwd files, and it seems to me they are awfully easy to tamper with. Any user can 'cd ..' a few times until they are down to the root directory, where they can cd etc. Once in etc, they can emacs passwd to review the file. Now of course the entries are encrypted, but not to worry, I do not have to be able to figure it out; after all, I *know what my password is*. I can use 'cut and paste' techniques to lift my encrypted password and sit it on top (or 'paste it over') your encrypted password, can't I? Then my password goes with your account as well as my own. I can hear your objection now: you say passwd is protected against writing to the file. The permissions allow only the owner -- in this case the computer -- to write the file. Not being the owner, I will be unable to chmod 666 the file or otherwise adjust the permissions. Again, not to worry, for where chmod can't do the job, DIRED can..... If I park myself on etc, and call DIRED, I can get right in there and diddle those permissions as required, plugging in 'w' for others on passwd. Once etc has been properly diddled via DIRED, I won't get any arguments when I emacs passwd and start cutting and pasting or when I save the file back out. At that point, I can log in as you, but using my (pasted over) password instead of yours. If a person wanted to be a real sneak about it, they would not simply paste over the sysadmin's password with their own, causing the sysadmin to be locked out of his own machine. If the sysadmin came along and decided to login, there would hell to pay. The jig would be up real quick. If I were going to do something like that, I'd be likely to cp passwd myfile, then do the cut and paste job on myfile. Logged in as myself, I'd swap out /etc/passwd with /etc/myfile, renaming my(pasted up)file as passwd. Quickly now, login as sysadmin, using my own password after all, and as the first order of business swap myfile and passwd back again so that if the real sysadmin wanted to login, he would be able to do so without any hassle. I would keep myfile handy, and whenever I wanted to go on as sysadmin (or you, perhaps?) I would first go on as myself, make the swapout, login as whoever and reverse the swap, so as not to 'inconvenience' the true owner of the account. [Actually, so as not to tip off the authorities! :-) ] Instead of just picking on the sysadmin, one might simply change all encrypted password strings to one's own encrypted password string. Change every occurence. This special copy of /etc/passwd would have every user with the same password, namely mine! Oh, I'm sure it would not actually work...I must be overlooking something. Prolly one or more of you guys will stand me corrected in a minute. The catch seems to be that DIRED sees nothing wrong with working on /etc/ passwd. Either DIRED should refuse to work on etc or ideally, DIRED should be unable to edit the permissions area in directories. Am I missing something, or is this a simple, easy way to break into anyone's account with no reference to their true password at all? Patrick Townson (replies by mail will be fine, or here as you wish) ptownson@chinet.chi.il.us ptownson@bu-cs.bu.edu