rkl@anduin.cs.liverpool.ac.uk (08/22/90)
There appears to be what I would consider to be a serious security bug with both HP-UX 6.5 (or 3.1) and 7.0 running on HP9000 kit (both series 300 and 800): Login as root and type "passwd". Press RETURN only at each of the two password prompts and - hey presto ! - root now has a blank password and NO WARNING IS GIVEN (it's bad enough that it allows it in the first place). The /etc/passwd entry for root appears to have a non-null crypted password, but it's actually a null password encypted by crypt ! This is even more dangerous, because programs like pwck won't pick this up. I've tried the same thing on an HLH Orion BSD 4.2 machine as root and it immediately rejects a blank password at the first New Password prompt. I thought this was important enough to be mentioned net-wide - how many times do you leave your console unattended with root logged in ...? I feel that "passwd" should prompt for the old password in the same way as "yppasswd" does and should disallow blank passwords. Richard K. Lloyd, *** This is a MicroVAX II running VAX/VMS V5.3-1 *** Computer Science Dept., * JANET : RKL@UK.AC.LIV.CS.AND or * Liverpool University, * RKL@000010500211.FTP.MAIL * Merseyside, England, * Internet : RKL%and.cs.liv.ac.uk@cunyvm.cuny.edu * Great Britain. *** Please note: New e-mail address ! ***
jim@cs.strath.ac.uk (Jim Reid) (08/23/90)
In article <1990Aug22.155715.15365@anduin.cs.liverpool.ac.uk> rkl@anduin.cs.liverpool.ac.uk writes:
Login as root and type "passwd". Press RETURN only at each of the two
password prompts and - hey presto ! - root now has a blank password and
NO WARNING IS GIVEN (it's bad enough that it allows it in the first place).
The /etc/passwd entry for root appears to have a non-null crypted password,
but it's actually a null password encypted by crypt ! This is even more
dangerous, because programs like pwck won't pick this up.
Someone with super-user privileges should not be so stupid that they
attempt to give root a null password. [Dearie me, the passwd program
has done *exactly* what you told it: how could it know that root did
or did not want a null password?]
I thought this was important enough to be mentioned net-wide - how many
times do you leave your console unattended with root logged in ...? I feel
that "passwd" should prompt for the old password in the same way as
"yppasswd" does and should disallow blank passwords.
Some observations:
[1] ANYONE who leaves an unattended root login is asking for trouble.
[2] If you're using Yellow Pages (NIS) to distribute password files,
you don't have security anyway. yppasswd just adds more security holes
to something that's already easily compromised.
[3] The reason that passwd does not ask for the old root password is
very simple: what if it had been forgotten or root's encrypted
password was corrupted somehow? On most machines, you should be able
to boot the system to single-user mode without needing to give a
password (perhaps only from distribution media) and that would enable
you to fix the password file. [Bear in mind that a lot of these new
"C2 secure Unix" systems don't allow hand editing of the password
file(s), only permitting updates through utilities like passwd.]
Jimrodean@hpfcdc.HP.COM (Bruce Rodean) (08/24/90)
In article <1990Aug22.155715.15365@anduin.cs.liverpool.ac.uk> rkl@anduin.cs.liverpool.ac.uk writes: > There appears to be what I would consider to be a serious security bug > with both HP-UX 6.5 (or 3.1) and 7.0 running on HP9000 kit (both series > 300 and 800): > > [Details of passwd giving root user NULL passwd deleted] > > I thought this was important enough to be mentioned net-wide - how many > times do you leave your console unattended with root logged in ...? I feel > that "passwd" should prompt for the old password in the same way as > "yppasswd" does and should disallow blank passwords. The manual entry is very specific on this. The last sentence on passwd(1) says: A super-user can create a null password by entering a carriage return in response to the prompt for a new password. This is consistent with the System V Interface Definition, third edition. No one would expect someone to have root's password be null; but the capability is allowed. Bruce Rodean rodean@hpfcla.HP.COM This posting does not reflect any official position of Hewlett-Packard Co. No guarantees of any kind are implied or stated.
alien@hpdmd48.boi.hp.com (Tom von Alten) (09/06/90)
...and as for leaving a root login by mistake: set up "autologout" to guarantee your memory. <of course this isn't _official_ advice...>