[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: fixing those pwdb shadow inconsistencies and holes

On Fri, 30 May 1997, Michael K. Johnson wrote:

> However, it's not at all clear to me that the Andrew's and Cristian's
> intent was to put that kind of policy at that level by default.

I have expleined the policy we were thinking of in a previous mail,
regarding this shadow-fication (err, is it possible such a term to exist 
in english ?! :-)

> Could either of you please explain where the policy border is supposed
> to lie?  I'll be happy to do the work if it's in pam_pwdb; I'm afraid
> that if it's in libpwdb it has the potential to take me a very much
> longer time to do because libpwdb is much more difficult to follow.

Whatever needs to be done to libpwdb, please tell me and I will handle it.
I don't get exactly to what type of policy you are referring to - could
you please be more specific ?

To anyone about to have a heart attack: pam_pwdb and libpwdb is not
broken, depends on how do you expect things to go. Except for the possible
exploits on the endian thing, there is no way one could compromise a
system using the 'exploits' mkj posted. In the worst case, a locked
account using the /etc/passwd '*' mechanism won't be locked, and this
comes in first place from the missing -l(ock) and -u(nlock) args to the
passwd binary, which should place the '*' in the right place (on shadowed
systems, that is /etc/shadow, not /etc/passwd).

Anyway, this is going to be fixed. Now.
Best wishes,
		Cristian Gafton
Cristian Gafton                                    gafton@sorosis.ro
Computers & Communications Center              Network Administrator
http://www.sorosis.ro/~gafton                          Iasi, Romania
UNIX is user friendly. It's just selective about who its friends are.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []