[1339] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Stupid passwd tricks: User with blank GECOS can't change passwd

daemon@ATHENA.MIT.EDU (IO ERROR)
Fri Dec 6 11:09:11 1996

Date: Fri, 6 Dec 1996 08:28:21 -0600 (CST)
From: IO ERROR <error@error.net>
To: redhat-list@redhat.com
cc: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

I have discovered that a user who has a blank GECOS field in the passwd file
under RedHat 4.0 (Colgate) is unable to change passwords.  Running the passwd
command goes like this: 
 
[user@host user]$ passwd
Password: [entry of old passwd]
New password: [entry of new passwd]
[user@host user]$ echo $!
1
[user@host user]$

Setting the name field in the GECOS seems to solve this problem.


[mod: While trying to reproduce this, I found different ways that
"passwd" could run into trouble. On MY Red Hat 4.0 system it does
"segmentation fault" when I have no GECOS field. My "test" user
couldn't authenticate himself, right after I chaged the passwd
to a "known" value while I was root. 

[root@adder ~]$ passwd test
New password: 
New password (again): 
Password changed
passwd: all authentication tokens updated successfully
[root@adder ~]$ su - test
[test@adder test]$ passwd
Password: 
Password: 
Password: 
passwd: Authentication failure
[test@adder test]$ 

and 
[wolff@adder ~]$ passwd
Password: 
New password: 
Segmentation fault
[wolff@adder ~]$

-- REW]

--
Michael Hampton      Crossroads Communications            System Administrator
error@error.net      318 E Burlington, Iowa City, IA 52240      (319) 354-6614


home help back first fref pref prev next nref lref last post