Subject: Re: cvs commit: src/lib/libc/db/hash hash_buf.c
To: None <tech-userlevel@NetBSD.ORG, tech-kern@NetBSD.ORG, netbsd-users@NetBSD.ORG>
From: Jon Ribbens <jon@oaktree.co.uk>
List: tech-kern
Date: 10/18/1996 16:53:57
Bill Sommerfeld wrote:
> This whole thread is silly.
>
> The data in question (encrypted passwords) is stored in a certain file
> which is mode 0600 owned by root.
>
> It makes no sense to go to extreme measures to make it more protected
> than that, especially since (in this case) the FTP server presumably
> just received the (infinitely more dangerous) *plaintext* password in
> the clear over the net. It's probably still lurking about in the
> stdio buffers...
The ftpd starts out as root, fetches the passwords, and then the
user can make it setuid to themselves by typing their user-name
and password. They can then make it core-dump (using 'kill') and
read the encrypted passwords. I tried it just now and it worked.
Hence this thread is not silly. Anyone with a shell account on
a machine can trivially gain access to the shadow password file.
I'd appreciate it if whoever it was who patched their kernel to
not core-dump programs which *used to be* SUID could post their
patch here.
Cheers
Jon
PS. Actually, it didn't work, because I'm using wu-ftpd. When
I switched back to the standard NetBSD 1.1 ftpd for a sec to
check it, it did work. wu-ftpd catches every signal under the
sun and doesn't core-dump on them. This is obviously not
a very nice solution.
PPS. Sorry if this is on the wrong lists, but the NetBSD lists
are set-up weirdly it seems and replying to the message
didn't send it to the list like it should've. I'm not sure
what lists the thread was on now.
____
\ // Jon Ribbens //
\// jon@oaktree.co.uk //