barn@paxton.ced.berkeley.edu (Gary Barnette) (01/06/89)
Can somone tell me if it is OK to have comments ( #... ) in /etc/passwd. Passwd(5) doesn't tell me. Running BSD 4.2 version 3.2 on Suns. Thank you, Gary Barnette barn@CED.berkeley.edu
steved@longs.LANCE.ColoState.Edu (Steve Dempsey) (01/06/89)
In article <18759@agate.BERKELEY.EDU> barn@paxton.ced.berkeley.edu (Gary Barnette) writes: > > Can somone tell me if it is OK to have comments ( #... ) > in /etc/passwd. Passwd(5) doesn't tell me. Running > BSD 4.2 version 3.2 on Suns. I can't think of any stock 4.[23]/SunOS code that is likely to break. For my own utilities that might not be robust enough (:-) and anything else that may be lurking, I'd make the comment in the form of a legitimate passwd entry - something like this: #:*:-99:-99:*** comments go here ***:/:/nologinshell >Gary Barnette >barn@CED.berkeley.edu Steve Dempsey, Center for Computer Assisted Engineering Colorado State University, Fort Collins, CO 80523 +1 303 491 0630 INET: steved@longs.LANCE.ColoState.Edu, dempsey@handel.CS.ColoState.Edu UUCP: boulder!ccncsu!longs.LANCE.ColoState.Edu!steved, ...!ncar!handel!dempsey
gwyn@smoke.BRL.MIL (Doug Gwyn ) (01/06/89)
In article <18759@agate.BERKELEY.EDU> barn@paxton.ced.berkeley.edu (Gary Barnette) writes: > Can somone tell me if it is OK to have comments ( #... ) > in /etc/passwd. Passwd(5) doesn't tell me. Running > BSD 4.2 version 3.2 on Suns. No!!! The first time someone uses /bin/passwd to change his password, you'll have a password-free superuser account created on your system.
gordon@prls.UUCP (Gordon Vickers) (01/07/89)
>In article <18759@agate.BERKELEY.EDU> barn@paxton.ced.berkeley.edu (Gary Barnette) writes: > Can somone tell me if it is OK to have comments ( #... ) > in /etc/passwd. Passwd(5) doesn't tell me. Running > BSD 4.2 version 3.2 on Suns. The only safe way I have found to do this is by creating dummy accounts: _:- :6:6::: *************************** _:- :6:6: * Remote System Logins:: * _:- :6:6::: *************************** ris:Nologin:11:11:Remote Installation Services Account:/usr/adm/ris:/bin/sh uucp:Nologin:4:1:UNIX-to-UNIX Copy:/usr/spool/uucppublic:/usr/lib/uucp/uucico codata:x5Gq1pJw5sPXg:5:1:Codata 3300, Unix:/usr/spool/uucppublic:/usr/lib/uucp/uucico rdm:SU5KSJk9fj1qA:0:0:0:/usr/spool/uucppublic:/usr/lib/uucp/tip _:- :6:6::: ******************* _:- :6:6: * 'Maint' Users:: * _:- :6:6::: ******************* john:bVsf6thFqV2CI:40:40:Cntry Club President,69,5333, :/a/john:/usr/new/csh bob:RJry9eu0izqwc:41:40:Bob Stokes,69,5359, :/a/bob:/usr/new/csh dave:c1ec9/NDKaGzs:42:40:Dave Draper,69,5359, :/a/dave:/usr/new/csh al:HnhqLtgtxEI/s:43:40:Al Alverez,69,5359, :/a/al:/usr/new/csh doug:KlRZHM5DSwb2c:44:40:Doug F.,69,5359, :/a/doug:/usr/new/csh _:- :6:6::: ********************* _:- :6:6: * 'Control' Users:: * _:- :6:6::: ********************* gordon:Yv/SVf7npcCrQ:10:20:G Vickers,69,5370,5551212:/a/gordon:/usr/new/csh fms:Cua74KLkuDvZ2:13:20:FMS Operator,69,5370, :/a/fms:/usr/new/csh tom:E/Z5fvvRHb6gw:12:20:Tom Brown,69,5370,4082675631:/a/tom:/usr/new/csh _:- :6:6::: ******************** _:- :6:6: * 'Admin' Users:: * _:- :6:6::: ******************** irwin:l0ADs6m5HBdPc:61:60:Elizabeth Irwin,69,5337, :/b/irwin:/usr/new/csh stockrm:LxKqSuqI6h8WY:62:60:Stock Room Office,69,5372, :/b/stockrm:/usr/new/csh _:- :6:6::: ************************* _:- :6:6: * 'Engineering' Users:: * _:- :6:6::: ************************* debbie:1Y8My2vEoIQoE:71:70:Debbie Ingraham,58,5204, :/b/debbie:/usr/new/csh castro:VYadkuDtQRoto:72:70:Dave Castro,58,5271, :/b/castro:/usr/new/csh bangs::73:70:Mike Bangs,58,5251, :/b/bangs:/usr/new/csh _:- :6:6::: ******************* _:- :6:6: * 'Guest' Users:: * _:- :6:6::: ******************* gamer:never-has-one:50:50:He who writes the scores,,, :/: guest:njN.phg8JW07k:101:100:On-line guest,,, :/usr/guest:/usr/new/csh ----------------------------------------------------------------------- NOTES: Every comment line contains a filled in passwd field, prehaps someone very familiar with DES (I'm not at all) could figure out the "unencrypted" form. Comment lines do not specify a home directory. I run Ultrix. Login fails if the account does not contain a home directory (but one can still 'su' to the login name provided one knows the password). Some utilities don't like seeing more than one account with the same uid and gid combination. This has not been a problem at this site. I'm no guru, I've never studied Unix source, etc..... Proceed at your own risk. Comments to my suggestions welcomed! Gordon Vickers 408/991-5370 (Sunnyvale,Ca); {mips|pyramid|philabs}!prls!gordon
guy@auspex.UUCP (Guy Harris) (01/07/89)
> Can somone tell me if it is OK to have comments ( #... ) > in /etc/passwd. Passwd(5) doesn't tell me. Running > BSD 4.2 version 3.2 on Suns. No version of UNIX that I know of treats lines in "/etc/passwd" that begin with "#" specially. I'd suggest you not put comments in "/etc/passwd".
merlyn@intelob.biin.com (Randal L. Schwartz @ Stonehenge) (01/07/89)
In article <934@ccncsu.ColoState.EDU>, steved@longs (Steve Dempsey) writes: | In article <18759@agate.BERKELEY.EDU> barn@paxton.ced.berkeley.edu (Gary Barnette) writes: | > | > Can somone tell me if it is OK to have comments ( #... ) | > in /etc/passwd. Passwd(5) doesn't tell me. Running | > BSD 4.2 version 3.2 on Suns. | | I can't think of any stock 4.[23]/SunOS code that is likely to break. I can think of one: passwd(1). I don't have access to the source (it's funny when vendors think that they have to lock up the source from a contractor when I've been staring at the source since V6, but that's another story), but I'm pretty sure that passwd(1) copies the /etc/passwd file through a loop of: while (getpwent(&foo)) { if foo.pw_name = "the thing getting changed" muck with foo struct fprintf(newpwdfile, "%s:%s:%s...", foo.pw_name, foo.pw_passwd, ...); } and if getpwent gets an error record, you get back a zeroed-out structure. Yuck. That's what makes the famous: ::0:0::: record that allows BSD's /bin/rsh to login as root with no password! I think this has been fixed in the latest passwd(1)'s but I bet your non-conforming entries will still get tossed the next time someone changes their password. | For my own utilities that might not be robust enough (:-) and anything else | that may be lurking, I'd make the comment in the form of a legitimate passwd | entry - something like this: | | #:*:-99:-99:*** comments go here ***:/:/nologinshell I like this better. Just make sure that the password is really bad, and not null. I don't think this would break anything. (Of course, if it does, y'all will be quick to tell me, eh?) -- Randal L. Schwartz, Stonehenge Consulting Services (503)777-0095 on contract to BiiN Technical Information Services (for now :-), in a former Intel building in Hillsboro, Oregon, USA. <merlyn@intelob.biin.com> or ...!tektronix!inteloa[!intelob]!merlyn SOME MAILERS REQUIRE <merlyn@intelob.intel.com> GRRRRR! Standard disclaimer: I *am* my employer!
gordon@sneaky.TANDY.COM (Gordon Burditt) (01/09/89)
> The only safe way I have found to do this is by creating dummy accounts: >_:- :6:6::: *************************** >_:- :6:6: * Remote System Logins:: * >_:- :6:6::: *************************** > Every comment line contains a filled in passwd field, prehaps someone > very familiar with DES (I'm not at all) could figure out the "unencrypted" > form. The alphabet for encrypted passwords consists of A-Z, a-z, 0-9, period, and slash. Anything in the password field that contains a character other than these, or which isn't 13 characters long, doesn't have a corresponding "unencrypted" form. DES produces a 64-bit binary value which crypt(3) then turns into printable form. There is also the 12-bit salt. You don't have to know anything more about DES. The turn-to-printable routine divides the salt into 2 6-bit hunks and the DES value into 11 6-bit hunks (using 2 extra dummy bits), and each hunk is represented by 1 character, taken from the set listed above. Crypt(3) is never going to produce encrypted passwords containing '*', blanks, or 1-character long encrypted passwords, so no password can ever match. As far as login, su, etc. are concerned, this method of inserting comments is safe. > Some utilities don't like seeing more than one account with the same > uid and gid combination. This has not been a problem at this site. The only standard (Sys V) utilities I am familiar with that complain about multiple accounts with the same uid/gid combination are those specifically designed to do so (and their entire function is to check the sanity of the password and group files: "pwcheck" and "grpcheck". You can ignore the messages related to the comment entries unless you have a boss that takes the messages as gospel and insists you fix the problem. Some systems have distributed password files with the same uid/gid combinations in the password file. Gordon L. Burditt ...!texbell!sneaky!gordon
sysrick@uwila.cfht.hawaii.edu (Rick McGonegal) (01/09/89)
It is also worthwhile to point out that comments in /etc/group should only be entered as "pseudo-groups".
ray3rd@ssc-vax.UUCP (Ray E Saddler III) (01/10/89)
In article <18759@agate.BERKELEY.EDU>, barn@paxton.ced.berkeley.edu (Gary Barnette) asks: > > Can somone tell me if it is OK to have comments ( #... ) > in /etc/passwd. Passwd(5) doesn't tell me. Running > BSD 4.2 version 3.2 on Suns. > First of all, the answer to your question is Yes, but you must be extremely careful to avoid security holes which can be created by the /bin/passwd tool). Potential holes that I know of allow a regular user to become root with a cimple su "" command, due to blank lines. Example: joe:pH1mdTEucLHNU:109:100:Joe User:/user/joe: mary:4WvYhG2tLc72:201:200:Mary Hacker:/user/mary: When passwd is run, this will end up looking like: joe:pH1mdTEucLHNU:109:100:Joe User:/user/joe: ::0:0::: mary:4WvYhG2tLc72:201:200:Mary Hacker:/user/mary: Rule #1.....Don't have blank lines in /etc/passwd Rule #2.....Pay attention to the structure required by passwd Rule #3.....Comply with the rules. What I recommend is reserving a uid for comments, I use 99999, and writing your comment lines something like this: joe:pH1mdTEucLHNU:109:100:Joe User:/user/joe: -:-:99999:200:-:-: -:-:99999:200:-:-: Programming staff -:-:99999:200:-:-: mary:4WvYhG2tLc72:201:200:Mary Hacker:/user/mary: I like to have my comments a bit visible, which is why there is a 'blank line' effect. This seems a bit crude, but it works for me. -- | Ray E. Saddler III | __ __ __ __ | Path: ..!ssc-vax!ray3rd | | Boeing Aerospace | / / / // //| // | From: ray3rd@ssc-vax.UUCP | | P.O. Box 3999 m.s. 3R-05 | /-< / //- // |// _ |---------------------------| | Seattle, Wa. 98124 USA | /__//_//__ // //__/ | VoiceNet: (206) 657-2824 |
childers@avsd.UUCP (Richard Childers) (01/13/89)
barn@paxton.ced.berkeley.edu (Gary Barnette) writes: > Can somone tell me if it is OK to have comments ( #... ) > in /etc/passwd. Theoretically speaking, no, you can't have comments in /etc/passwd. But practically speaking, it's possible to hack a fake 'passwd' entry that acts in a way analogous to comments. But this is a security hole, of sorts, in that unless you do it just right it might facilitate a breakin. While I guess it depends on the intent, usually strict numbering of UIDs and occasional use of CAPITALS will work as an interim solution. > Thank you, You're welcome ! > Gary Barnette > barn@CED.berkeley.edu -- richard -- * "I haven't lost my mind ... it's backed up on tape." * * ( Pete Da Silva ) * * ..{amdahl|decwrl|octopus|pyramid|ucbvax}!avsd.UUCP!childers@tycho * * AMPEX Corporation - Audio-Visual Systems Division, R & D *