[2508] in bugtraq
passwd command in AIX 4.1.4
daemon@ATHENA.MIT.EDU (Dave Roberts)
Mon Feb 5 20:21:11 1996
Date: Mon, 5 Feb 1996 17:56:01 +0000
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Dave Roberts <djr@saa-cons.co.uk>
X-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
The passwd command under AIX 4.1.4 does not ask for the old password if
you are root, even if you are changing root's password. To me this is a
serious security flaw, but I haven't had any satisfaction from IBM or my
suppliers (that said they would pass on my opinion).
Am I alone in thinking this is a serious problem?
Dave Roberts | "Surfing the Internet" is a sad term for sad people.
Unix Systems Admin | Get a board, find a beach, surf some REAL waves and
SAA Consultants Ltd | get a *real* life.
Plymouth, U.K. | -=[For PGP Key, send mail with subject of "get pgp"]=-
