[9860] in bugtraq
Re: Digital Unix 4 protected password database.
daemon@ATHENA.MIT.EDU (Chris Johnson)
Tue Mar 9 17:47:46 1999
Date: Tue, 9 Mar 1999 14:52:55 -0500
Reply-To: Chris Johnson <johnson@ISN.DAC.NEU.EDU>
From: Chris Johnson <johnson@ISN.DAC.NEU.EDU>
X-To: James Clement <clem7508@FREDONIA.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.OSF.3.96.990309022145.4097A-100000@bluedevil.cc.fredonia.edu>
On Tue, 9 Mar 1999, James Clement wrote:
> Greetings,
> Due to the recent outpouring of DU buffer overflows I thought the
> following might be of interest. With the Enhanced Security package
> running, authentication info is stored in individual files according to
> username. In this case /tcb/files/auth/r/root for root and so on. I am not
> aware of any built in method for creating the equivalent of your everyday
> unix /etc/shadow file. As a result it is probable that many DU systems
> have not weeded out poor choices for passwords through the use of a
> program such as Crack since each encrypt is stored in a separate file.
> Though trivial once root is compromised, a would be attacker might
> have an easy time obtaining passwords because of this "feature". The
> program below outputs a crackable shadow file.
>
>
> Regards,
> James Clement
>
>
>
It WAS primarily stored this way. Recent versions however
normally store everything in a DBM style file called auth.db unless you
force it otherwise or already are using the separate file approach.
And as noted, you do need root to run the program. But if you
are root you don't really need it. A simple Perl script or even
simpler shell script will do. Normally the /tcb/files/ tree is owned
by auth.auth and not world readable. But, um, if you're root all bets
are off anyway. You don't actually need the passwords.
Besides, there are uses for the separate file approach.
------------------------------------------------------------------------------
Chris Johnson |Internet: johnson@isn.dac.neu.edu
Assistant Director, Systems |Web: http://www.dac.neu.edu/dac/c.johnson
Division of Academic Computing |Voice: 617.373.3300
Northeastern University, 39 RI |FAX: 617.373.8600
360 Huntington Ave. |If ignorance is bliss, why aren't there more
Boston, MA., U.S.A. 02115 |happy people? Tea bag tag
------------------------------------------------------------------------------
