Protecting Password Files

Sun Dec 25 18:44:38 AEST 1988

I got to thinking about the security of /etc/passwd files, and it seems to
me they are awfully easy to tamper with. 

Any user can 'cd ..' a few times until they are down to the root directory,
where they can cd etc. Once in etc, they can emacs passwd to review the
file.

Now of course the entries are encrypted, but not to worry, I do not have to
be able to figure it out; after all, I *know what my password is*. I can
use 'cut and paste' techniques to lift my encrypted password and sit it on
top (or 'paste it over') your encrypted password, can't I? Then my password
goes with your account as well as my own.

I can hear your objection now: you say passwd is protected against writing
to the file. The permissions allow only the owner -- in this case the 
computer -- to write the file. Not being the owner, I will be unable to
chmod 666 the file or otherwise adjust the permissions. Again, not to 
worry, for where chmod can't do the job, DIRED can.....

If I park myself on etc, and call DIRED, I can get right in there and
diddle those permissions as required, plugging in 'w' for others on passwd.
Once etc has been properly diddled via DIRED, I won't get any arguments
when I emacs passwd and start cutting and pasting or when I save the file
back out.

At that point, I can log in as you, but using my (pasted over) password
instead of yours. 

If a person wanted to be a real sneak about it, they would not simply
paste over the sysadmin's password with their own, causing the sysadmin
to be locked out of his own machine. If the sysadmin came along and 
decided to login, there would hell to pay. The jig would be up real quick.
If I were going to do something like that, I'd be likely to cp passwd myfile,
then do the cut and paste job on myfile.

Logged in as myself, I'd swap out /etc/passwd with /etc/myfile, renaming
my(pasted up)file as passwd. Quickly now, login as sysadmin, using my own
password after all, and as the first order of business swap myfile and 
passwd back again so that if the real sysadmin wanted to login, he would
be able to do so without any hassle.

I would keep myfile handy, and whenever I wanted to go on as sysadmin (or
you, perhaps?) I would first go on as myself, make the swapout, login as
whoever and reverse the swap, so as not to 'inconvenience' the true owner
of the account. [Actually, so as not to tip off the authorities! :-) ]

Instead of just picking on the sysadmin, one might simply change all
encrypted password strings to one's own encrypted password string. Change
every occurence. This special copy of /etc/passwd would have every user
with the same password, namely mine!

Oh, I'm sure it would not actually work...I must be overlooking something.
Prolly one or more of you guys will stand me corrected in a minute.

The catch seems to be that DIRED sees nothing wrong with working on /etc/
passwd. Either DIRED should refuse to work on etc or ideally, DIRED should
be unable to edit the permissions area in directories.

Am I missing something, or is this a simple, easy way to break into anyone's
account with no reference to their true password at all?

Patrick Townson
(replies by mail will be fine, or here as you wish)

ptownson at chinet.chi.il.us
ptownson at bu-cs.bu.edu 