[1542] in linux-security and linux-alert archive
[linux-security] Re: Re: [Linux UID/GID 'Feature']
daemon@ATHENA.MIT.EDU (Alexander O. Yuriev)
Mon May 12 12:43:11 1997
From: "Alexander O. Yuriev" <alex@yuriev.com>
To: linux-security@redhat.com
cc: John Fraizer <tvo@EnterZone.Net>
In-reply-to: Your message of "12 May 97 15:46:51 -0000."
<33773B50.46AFA081@EnterZone.Net>
Date: Mon, 12 May 97 12:27:39 -0400
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
Your message dated: 12 May 97 15:46:51 -0000
> > Some people are replying: "what do I care when a root-user is
> > editing /etc/passwd, and can put # in the /etc/passwd file to get
> > a root-account?"
> > That is not the issue. The issue is that as a sysop you might be
> > surprised that putting a "#" in the uid field doesn't stop the guy
> > from logging in, but gives him a root-account instead. You all should
> > better be warned.... (But I never do that -> Ok let it rest)
> > Say you've been closing accounts by adding #'s on SunOS for years and
> > now are administrating a Linux machine. Surprise, that annoying cracker
> > you thought you threw off, now suddenly has root priviliges. Bad thing.
> >
> > Another thing is a "#" in front of the whole line. That also doesn't work.
> > You have to login as "#wolff" instead of just "wolff".
> >
> > One thing that does work is to put a "*" in front of the passwd entry.
> >
> > Roger.
>
> Doesn't work on Slackware 2.0.30 with shadow. I even tried adding the
> "#" in front of the passsword entry in the shadow file.
Because it is not supposed to do that - /etc/passwd and /etc/shadow are
formatted databases and you should not violate their format. Placing # in
front of a numerical field does not make that field invalid as the result of
a translation of string '#N' to a number if I remember correctly is a number
0.
If you would like to lock an account by modifing hash of a password, make
sure that you are using a character which is invalid as a hash, such as '*'.
Also remember that by invalidating hash you are not locking an account, you
are only preventing this user from authenticating himself/herself to a
system via programs that use /etc/passwd to do authentication
Alex