WARNING!

[Magnus Olsson]

In article <MEISSNER.91Apr10175314 at curley.osf.org> meissner at osf.org (Michael Meissner) writes:
>In article <26520 at adm.brl.mil> anamaria at saffron.wpd.sgi.com (Ana Maria
>De Alvare') writes:
>
>| I want to make it clear that a person can has access to someone machine's
>| password file throught the internet without having any accounts directly
>| related to that person.  For example, throught the ftp anonymous service,
>| I can copy a password file over.  
>Ummm, unless you wrote your own ftpd, the standard BSD one explicitly
>chroot's anonymous FTP requests to the logon directory of the user
>'ftp'.  In every system manual, where I've seen how to set up
>anonymous FTP, it mentions this, and tells the system manager never to
>make the logon directory be '/'.

Of course, you still need an /etc/passwd file (relative to FTP's "new"
root), but fortunately, the password information isn't needed.
Here's what you get if you onnect with anonymous ftp to our machines
and do a "get /etc/passwd":

root:*:0:1:System PRIVILEGED Account:/:/usr/new/csh
ftp:*:295:15:Anonymous ftp:/usr/users/ftp:/usr/new/csh

All the ordinary users have been edited out, and there's no 
password information left. All the presumptive cracker gets to
know is that there are accounts called root and ftp, and he
probably knew that already...

Magnus Olsson                   | \e+      /_
Dept. of Theoretical Physics    |  \  Z   / q
University of Lund, Sweden      |   >----<           
Internet: magnus at thep.lu.se     |  /      \===== g
Bitnet: THEPMO at SELDC52          | /e-      \q