Bugtraq mailing list archives
Re: passwd command in AIX 4.1.4
From: chris () whitman gmu edu (Chris Burris)
Date: Mon, 5 Feb 1996 20:55:40 -0500
On Mon, 5 Feb 1996, Dave Roberts wrote:
The passwd command under AIX 4.1.4 does not ask for the old password if you are root, even if you are changing root's password. To me this is a serious security flaw, but I haven't had any satisfaction from IBM or my suppliers (that said they would pass on my opinion).
I am assuming that IBM wasn't aware of the sysadmin who leave the console for a few minutes. Linux also has this ''problem''. I suspect since the passwd code was designed so that root could change any users passwd, therewasn't a provision to check to see if root was changing root's passwd. Still. This could be easily bypassed by simply editing the /etc/passwd file. Setting the passwd field to null. -- Chris Burris Violation Communications Inc. chris () violation ml org
Current thread:
- Re: bind() Security Problems Richard Black (Feb 01)
- Re: bind() Security Problems dsiebert () icaen uiowa edu (Feb 01)
- Re: bind() Security Problems General Scirocco (Feb 01)
- Re: bind() Security Problems Baba Z Buehler (Feb 05)
- passwd command in AIX 4.1.4 Dave Roberts (Feb 05)
- Re: passwd command in AIX 4.1.4 Chris Burris (Feb 05)
- Re: passwd command in AIX 4.1.4 JaDe (Feb 05)
- CGI security: Escape newlines. Jennifer Myers (Feb 05)
- Re: CGI security: Escape newlines. Dave Andersen (Feb 05)
- Re: CGI security: Escape newlines. Fred Cohen (Feb 06)
- [Fwd: HTTPd 1.5a Security Hole!!! (fwd)] Rogue Agent (Feb 06)
- Re: bind() Security Problems General Scirocco (Feb 01)
- Re: bind() Security Problems dsiebert () icaen uiowa edu (Feb 01)
- abuse Red Hat 2.1 security hole David J Meltzer (Feb 02)
- resizecons Red Hat 2.1 security hole David J Meltzer (Feb 02)
- <Possible follow-ups>
- Re: bind() Security Problems Alan Cox (Feb 01)