In article <20021210043231.A4B537B6B@berkshire.research.att.com>, Steven M. Bellovin wrote:
> In message <slrnavap6e.ip.apost@water.amer.interwoven.com>, Alan Post writes:
>>
>>  drwxr-xr-x  root:wheel   /etc/userdb
>>  dr-xr-xr-x  root:wheel   /etc/userdb/apost
>>  -r--r--r--  root:wheel   /etc/userdb/apost/uid
>>  -r--r--r--  root:wheel   /etc/userdb/apost/gid
>>  -rw-------  apost:users  /etc/userdb/apost/passwd_hash
>>  -rw-r--r--  apost:users  /etc/userdb/apost/office
>>  -rw-r--r--  apost:users  /etc/userdb/apost/homedir
>>  -rw-r--r--  apost:users  /etc/userdb/apost/shell
>>  dr-xr-xr-x  root:wheel   /etc/userdb/otheruser
>>
>>The only disadvantage that I can come up with is that if I am able to
>>impersonate a user, I can set her password without knowing the current
>>one.
>>
>>Am I missing something basic?
> 
> Yes -- the changes you're permitting are root-equivalent, which means 
> that only root should be able to do them.  For example, if I can change 
> your home directory, I change what .profile you use, which means I 
> could run any commands as you.

If you can write to /etc/userdb/apost/homedir, then you must have
access to my files already, so how is this a new problem?

> Similarly, I could change your hashed password to one I know the
> plaintext for, which means that again, I'd have access to all your
> files.

I mentioned that one -- it is easier to set the password, no
trojan-user-delay involved.


  Alan