[12018] in Athena Bugs
Sun4 7.6R: shadow passwords
daemon@ATHENA.MIT.EDU (yandros@MIT.EDU)
Sun May 8 19:26:29 1994
From: yandros@MIT.EDU
Date: Sun, 8 May 94 19:26:21 EDT
To: bugs@MIT.EDU
System: infocalypse.mit.edu, sparc classic with 32M memory, beta-sys, 7.6R
I've also noticed this on deathtongue.mit.edu, an IPX in the SIPB
office, and several cluster suns. I would be highly surprised if it
were more platform specific than `current athena solaris release'.
What's the problem:
(on infocalypse)
; cat /etc/shadow
root:CHANGED:8714::::::
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
adm:NP:6445::::::
lp:NP:6445::::::
smtp:NP:6445::::::
uucp:NP:6445::::::
nuucp:NP:6445::::::
listen:*LK*:::::::
nobody:NP:6445::::::
noaccess:NP:6445::::::
news:NP:8797::::::
jrlab:NP:8797::::::
xluo:CHANGED:8813::::::
yoav:CHANGED:8823::::::
sorokin:CHANGED:8828::::::
mkgray:CHANGED:8849::::::
biciunas:CHANGED:8852::::::
yoav:CHANGED:8871::::::
cat:CHANGED:8882::::::
Notice some interesting facts:
o I can read the file (as yandros). I manually changed all the
encrypted passwords to `CHANGED' to protect the passwords
(particularly root's :-)
o yandros is not listed, even though I am logged in. (I'm in the
local passwd file, as is bert, also logged in and suspiciously
absent)
o `yoav' is listed twice. Now, inf doesn't allow remote access to
many people at all (myself and bert, mostly) and all of these
people are local logins, which are rare. On deathtongue it's not
uncommon for people to appear 5 or 10 times.
o xscreensaver bug: when you change your passwd, xscreensaver on
suns (which uses unix passwords, not kerberos passwords (bug?
we'll talk about that later if you're interested. :-) often
requires the *previous* password to unlock the screen. I don't
recall ever noticing this in a situation where there weren't
multiple entries for the user in /etc/shadow, but it may have
happened; the inverse happens `often'. My personal suspicion is
that the sun getsp* routines are getting confused by the multiple
entries or something similar.
So what do you want to know?
1. Should I be able to read the shadow file? Isn't the point of the
shadow file that it isn't world-readable (cf. AIX /etc/security).
Sure, this isn't a big distinction on public machines, and I can
always just change my own, but I'm interested in the answer to
this anyway.
2. Should there be multiple entries per user?
3. Does the file ever get cleaned on public machines? It doesn't
seem to on private ones as far as I've noticed (I clean inf's
manually every so often).
thanks,
chad
