[9066] in Athena Bugs
rsaix 7.3S: /etc/security/passwd
daemon@ATHENA.MIT.EDU (lwvanels@Athena.MIT.EDU)
Mon Mar 9 10:29:18 1992
From: lwvanels@Athena.MIT.EDU
Date: Mon, 9 Mar 92 10:29:10 -0500
To: jik@pit-manager.MIT.EDU
Cc: bugs@Athena.MIT.EDU
In-Reply-To: [9060]
>What good is /etc/security being readable by group security if the
>files in /etc/security are not? Yes, I know, some of them are, but I
>see no reason to treat passwd differently. Is this different
>treatment explicit? Is it justified anywhere in the AIX
>documentation?
The only justification I could find is in their "Introduction to Security":
>Because the password is the only protection for each account, it is
>important that users select and guard their passwords carefully. Many
>attempts to break into a system start with attempts to guess passwords. The
>AIX Version 3 system provides significant password protection by storing
>user and group passwords separately from other user and group information.
>The encrypted passwords and other security-relevant data for users and
>groups are stored in the /etc/security/passwd and /etc/security/group files,
>respectively. These files should be accessible only by the root user. With
>this restricted access to the encrypted passwords, an attacker cannot
>decipher the password with a program which simply cycles through all
>possible or likely passwords.
However, /etc/security/group is mode 640 and group security; their
justification isn't in line with their implementation.
-Lucien
