[2216] in bugtraq
Re: Linux NIS security problem hole and fix
daemon@ATHENA.MIT.EDU (Tim Chown)
Fri Sep 8 10:13:04 1995
Date: Fri, 8 Sep 1995 09:51:47 +0100
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Tim Chown <T.J.Chown@ecs.soton.ac.uk>
X-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <Pine.D-G.3.91.950907130610.10131E-100000@hopi.dtcc.edu>
On Thu, 7 Sep 1995, Ken Weaverling wrote:
> I was told by someone that this hole is "well known" and has been discussed
> on the LINUX security list for a while now. A few people have emailed me
> telling me what it was too, so it is obvious that this is "known" about.
Here are my observations on Slackware 2.3/ kernel 1.2.13.
I can say that logging in as + on SW2.3/1.2.13 doesn't give
you anything bar a login refused, IF the passwd entry says
just '+'. The latest SW says that just + is all you need to
pull in entries with the latest libc in use that comes with it.
However, if the entry says '+::0:0:::' then you can login as
root via telnet (well, you could if we didn't bar direct
root logins), but just 'su +' will get you root of course.
Using an entry of '+:*:0:0:::' allows people to login but
disallows the root hole.
Lovely :)
Cheers,
Tim
