Re: DEC OSF/1 Enhanced Security passwd problem

[mouse () Collatz McRCIM McGill EDU (der Mouse)]

> I'm having trouble w/ DEC OSF/1 V2.0 Enhanced Security.  Just
> yesterday, the passwd program decided to be very friendly and let
> anyone (except root) change anyone else's password.  [...]

> Any user can type "passwd username" to change anyone's password
> WITHOUT supplying the old password.  [...]  Strangely, when root
> attempts to change someone else's password, the "Old password:"
> prompt is given.  It's almost like it's reversing the result when
> checking whether the user should have to supply the old password.

> Any ideas are welcome.

It seems almost too obvious to need saying...but have you checked your
passwd binary against the distribution media (which I hope you have
kept, never un-writelocked)?  This sounds like exactly what I'd expect
if someone broke in, looked through passwd for a place where it checks
for root privilege, and reversed the following conditional branch.
(This would be a pretty incompetent cracker, but something tells me
Sturgeon's Law is as true of crackers as it is of other things.)

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu