[552] in bugtraq
Re: Sun Patch Id #102060-01
daemon@ATHENA.MIT.EDU (Jon Peatfield)
Wed Dec 21 16:13:35 1994
To: der Mouse <mouse@Collatz.McRCIM.McGill.EDU>
Cc: bugtraq@fc.net, jp107@amtp.cam.ac.uk
In-Reply-To: Your message of "Tue, 20 Dec 1994 06:43:42 EST."
<199412201143.GAA19647@Collatz.McRCIM.McGill.EDU>
Date: Wed, 21 Dec 1994 18:24:16 +0000
From: Jon Peatfield <J.S.Peatfield@amtp.cam.ac.uk>
> Kinda sad, because passwd -F is mildly useful, and it's really really
> easy to make it secure: just permanently throw away all elevated
> privilege as soon as the -F is noticed on the command line. Then
> proceed to run as normal.
Well it may be useful in some environments (we used to use it to maintain a
proto-password file of allocated users), but it *never* worked properly if you
had shadow passwords switched on which was kind of sad. It always insisted on
looking in /etc/security/ for the password.adjunct which defeats the point of
having the -F option. When we heard about the -F security holes we did the
binary patch thing to remove the -F option. These days we live without it.
-- Jon
Jon Peatfield, Computer Officer, the DAMTP, University of Cambridge
Telephone: (+44 223) 3-37852 Mail: J.S.Peatfield@damtp.cam.ac.uk
