Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!agate!bionet!ames!lll-winken!uunet!uvm-gen!tnl!norstar
From: norstar@tnl.UUCP (Daniel Ray)
Newsgroups: comp.unix.questions
Subject: Re: /etc/shadow equivalent without a source license!
Summary: good points well taken
Message-ID: <202@tnl.UUCP>
Date: 5 Apr 89 15:11:16 GMT
References: <18939@adm.BRL.MIL>
Organization: The Northern Lights, Burlington VT
Lines: 43

In article <18939@adm.BRL.MIL>, rbj@dsys.icst.nbs.gov (Root Boy Jim) writes:
> 
> I disagree. Both files, /etc/passwd *and* /etc/shadow should look *exactly*
> alike, except that the passwords in /etc/passwd should be random. Consider:
> 
> The Bad Guy is really, or rather looks like, a Good Guy. That is, he
> has an account on your machine. So he changes his password, and sees
> that /etc/passwd doesn't change, or that the entry remains `x'. You
> have now alerted him to the fact that /etc/passwd is not the real
> file, so he goes looking for the real one. The above reasoning applies
> if he gets a copy of /etc/passwd somehow.

A very good suggestion. I thought of it, but decided that it might be just
too complicated simulating the encrypted keys, and when they are changed.
Maybe I'll do this down the road, however.

> ...
> In any case, there are several solutions to the problem of changing
> /etc/shadow to mode 400 instead of mode 444. The first is the
> hard way; either use bpatch or adb or something else, find the
> constant 444, and change it to 400. Another easier way is to 
> wrap /bin/passwd in another program that simply does a chmod
> after the real /bin/passwd runs. This leaves a small window
> where /etc/shadow could possibly be read however.

I solved this by making the NEW real password file something like
/dir/x/y/ze with the parent directories /dir/x/y being closed. No
chmod necessary, *and* it prevents links to the file.

> 
> 	Catman Rshd <rbj@nav.icst.nbs.gov>
> 	Author of "The Daemonic Versions"

I just got ahold of the excellent public domain /su/passwd/login clone
programs from jfh@rpp386, so I have something new to play with as far
as passwd goes. Fun fun!

norstar
The Northern Lights, Burlington Vermont               |     There *is*
tnl dialins: 802-865-3614 at 300-2400 bps.          ` | /   no real security
------------------------------------------        --- * --- so lets
uucp: uunet!uvm-gen!tnl!norstar or                  / | .   PRETEND!
{decvax,linus}!dartvax!uvm-gen!tnl!norstar            |