[3766] in bugtraq
Re: Weakness in some linux versions of adduser.
daemon@ATHENA.MIT.EDU (Alan Brown)
Mon Dec 9 03:32:33 1996
Date: Mon, 9 Dec 1996 18:58:25 +1300
Reply-To: Alan Brown <alan@manawatu.gen.nz>
From: Alan Brown <alan@manawatu.gen.nz>
X-To: Dan Merillat <Dan@Merillat.org>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.LNX.3.95.961208223715.320E-100000@chaos.ao.net>
On Sun, 8 Dec 1996, Dan Merillat wrote:
> Aside from glaring buffer overflows (which are unimportant, as only
> administration should have access to the adduser script) I do notice
> an interesting statistical weakness in adduser... namely, the salt generation.
The revised adduser perl script used in the "shadows-ina-box" Linux
shadowing kit uses passwd to set the password, probably for this reason.
I've spent the weekend ironing vrious bugs out of the 1.2 version and
tidying up the adduser perl script in the package - it enables paranoid
mode in many of the programs compiled, but adduser doesn't have questions
added about whether a user should be allowed pop3 access, plus has a
non-elegant failure mode if the defaults file isn't there.
I've mailed the various fixes and patches done to the shadow kit's
maintainer and the rest is up to him. Meantime, if anyone wants to grab
and comment on what I've got so far, there's a scrappy copy sitting
at ftp://news.manawatu.gen.nz/pub/shadow-ina-box-1.2.1.src.tar.gz
Among other things, we've more than doubled the Cracklib dictionary size
(to 7Mb) and replaced wuftpd with a version that actually compiles on ELF
systems. The Install and Build scripts need some work, as does the modify
program (hits inetd.conf).
AB
