Protecting Password Files

Michael H. Warfield Mike mhw at wittsend.LBP.HARRIS.COM
Tue Dec 27 09:12:33 AEST 1988 

In article <4484 at xenna.Encore.COM> bzs at Encore.COM (Barry Shein) writes:
>
>Yes, what you are missing is the slightest understanding of unix, if
>this wasn't unix-wizards I'd have more mercy but instead I'll point
>out you have sunk this list to a new low.
>

     And maybe the point you're missing is the variety of *NIX systems out
in the real world.  A valid point was brought up (although maybe not what the
original author meant to bring up).  I have thought up siller ways than that
to crack a password file (and roasted more than a few short sighted programmers
with a terminal case of optical rectitis for doing STUPID things that create
obvious security violations).  His point may in fact emphasize that simple
errors in judgement can easily set up a UNIX systems to be HAD by the simplest
of tricks.  Non standard utilities are a point to consider.  Just because there
is no "standard" UNIX utility that can get around something doesn't mean
you shouldn't protect yourself from the attack.  Your point of DIRED being
non-standard is TOTALY WORTHLESS!  Certainly if /etc has non owner write
permission to the directory or if some IDIOT made that DIRED utility SUID to
root (re: optical rectitis above) then that should be pointed out.  If his 
system real allows such transgressions then those should be pointed out and
corrected (and possible the guilty sys-op taken out to a dark alley somewhere).

     The lesson for ALL of us is that WE ARE OUR WORST ENIMIES!  By far, the
worst security violations are the ones we create for ourselfs.  Either through
lazyness, ignorance, or misguided desires for "ease of use" we can all easily
fall into the trap of creating holes in our systems.  It is far easier to
create a hole than to pug a hole we didn't realize was there.

     Certainly your flame of ANYBODY having a valid concern or question
over UNIX security is far more inappropriate to ANY TECHNICAL group than
any such question NO MATTER HOW STUPID.  And the original poster certainly
did not bring up a stupid point even if (and I seriously doubt it) 90 percent
of the readers of this group really found this so obvious.  Maybe you need
a new newsgroup (comp.unix.wizards.out_of_the_box.purists).

---
Michael H. Warfield  (The Mad Wizard)	| gatech.edu!galbp!wittsend!mhw
  (404)  270-2123 / 270-2098		| mhw at wittsend.LBP.HARRIS.COM
An optimist believes we live in the best of all possible worlds.
A pessimist is sure of it!

More information about the Comp.unix.wizards mailing list