Bugtraq mailing list archives
Re: DEC OSF/1 Enhanced Security passwd problem
From: mouse () Collatz McRCIM McGill EDU (der Mouse)
Date: Wed, 31 Aug 1994 16:17:53 -0400
I'm having trouble w/ DEC OSF/1 V2.0 Enhanced Security. Just yesterday, the passwd program decided to be very friendly and let anyone (except root) change anyone else's password. [...]
Any user can type "passwd username" to change anyone's password WITHOUT supplying the old password. [...] Strangely, when root attempts to change someone else's password, the "Old password:" prompt is given. It's almost like it's reversing the result when checking whether the user should have to supply the old password.
Any ideas are welcome.
It seems almost too obvious to need saying...but have you checked your passwd binary against the distribution media (which I hope you have kept, never un-writelocked)? This sounds like exactly what I'd expect if someone broke in, looked through passwd for a place where it checks for root privilege, and reversed the following conditional branch. (This would be a pretty incompetent cracker, but something tells me Sturgeon's Law is as true of crackers as it is of other things.) der Mouse mouse () collatz mcrcim mcgill edu
Current thread:
- Re: DEC OSF/1 Enhanced Security passwd problem der Mouse (Aug 31)