[1339] in linux-security and linux-alert archive
[linux-security] Stupid passwd tricks: User with blank GECOS can't change passwd
daemon@ATHENA.MIT.EDU (IO ERROR)
Fri Dec 6 11:09:11 1996
Date: Fri, 6 Dec 1996 08:28:21 -0600 (CST)
From: IO ERROR <error@error.net>
To: redhat-list@redhat.com
cc: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
I have discovered that a user who has a blank GECOS field in the passwd file
under RedHat 4.0 (Colgate) is unable to change passwords. Running the passwd
command goes like this:
[user@host user]$ passwd
Password: [entry of old passwd]
New password: [entry of new passwd]
[user@host user]$ echo $!
1
[user@host user]$
Setting the name field in the GECOS seems to solve this problem.
[mod: While trying to reproduce this, I found different ways that
"passwd" could run into trouble. On MY Red Hat 4.0 system it does
"segmentation fault" when I have no GECOS field. My "test" user
couldn't authenticate himself, right after I chaged the passwd
to a "known" value while I was root.
[root@adder ~]$ passwd test
New password:
New password (again):
Password changed
passwd: all authentication tokens updated successfully
[root@adder ~]$ su - test
[test@adder test]$ passwd
Password:
Password:
Password:
passwd: Authentication failure
[test@adder test]$
and
[wolff@adder ~]$ passwd
Password:
New password:
Segmentation fault
[wolff@adder ~]$
-- REW]
--
Michael Hampton Crossroads Communications System Administrator
error@error.net 318 E Burlington, Iowa City, IA 52240 (319) 354-6614