jepeway@UTKCS2.CS.UTK.EDU (Chris Jepeway) (06/11/87)
Howdy, Does any system software muck with the passwords in /etc/group? I'm new to administering Unix, and I'd like to know what's up with groups. Thanks ever, Chris Jepeway
news@rlvd.UUCP (News) (06/17/87)
In article <7817@brl-adm.ARPA> jepeway@UTKCS2.CS.UTK.EDU (Chris Jepeway) writes: > >Does any system software muck with the passwords in /etc/group? I'm new >to administering Unix, and I'd like to know what's up with groups. In a word, no. There is provision for passwords in the group structure, but there is nothing provided to put the passwords in there. It is possible to put a password into /etc/group by copying a known password from /etc/passwd into the appropriate field, but this is an awful kludge. The simplest answer is: don't bother with passwords in /etc/group. My comments apply to all BSD4.n systems and right back to v6, and I think to system V and its derivatives as well. Ian "Motorcycle Maaaaan" Gunn UK JANET : ian@uk.ac.rl.vd Rutherford Appleton Laboratory UUCP : ..!mcvax!ukc!rlvd!ian Chilton, Didcot, Oxon OX11 0QX ARPA : @ucl.cs.arpa:ian@vd.rl.ac.uk England. 'phone : (0235) 21900 ext: 5707
rml@hpfcdc.HP.COM (Bob Lenk) (06/20/87)
>> >>Does any system software muck with the passwords in /etc/group? I'm new >>to administering Unix, and I'd like to know what's up with groups. > In a word, no. There is provision for passwords in the group structure, but >there is nothing provided to put the passwords in there. It is possible to put >a password into /etc/group by copying a known password from /etc/passwd into >the appropriate field, but this is an awful kludge. The simplest answer is: >don't bother with passwords in /etc/group. > My comments apply to all BSD4.n systems and right back to v6, and I think to >system V and its derivatives as well. The above is correct with respect to System V et. al. as far as software setting up passwords. However, System V, System III, V7, V6 (and quite possibly pre-4.2 BSD systems) have newgrp(1) which uses the password if it exists. Bob Lenk {ihnp4, hplabs}!hpfcla!rml
michael@macom1.UUCP (Michael Mullins) (06/25/87)
in article <5740010@hpfcdc.HP.COM>, rml@hpfcdc.HP.COM (Bob Lenk) says: >>>Does any system software muck with the passwords in /etc/group? I'm new >>>to administering Unix, and I'd like to know what's up with groups. > >> In a word, no. There is provision for passwords in the group structure, but >>there is nothing provided to put the passwords in there. It is possible to put >>a password into /etc/group by copying a known password from /etc/passwd into >>the appropriate field, but this is an awful kludge. The simplest answer is: >>don't bother with passwords in /etc/group. >> My comments apply to all BSD4.n systems and right back to v6, and I think to >>system V and its derivatives as well. > > The above is correct with respect to System V et. al. as far as software > setting up passwords. However, System V, System III, V7, V6 (and quite > possibly pre-4.2 BSD systems) have newgrp(1) which uses the password if > it exists. This may be a little novice sounding to all the experts on the net, but .... I have found that the best way to assign a password to a group, short of writing a special utility to assign one, is to force a password change from 'root' on one of the system users like 'bin'. (Usualy the password field for this user is set: "**NO WAY**" or "NOLOGIN", neither of which could be processed properly by the login process.) Once the password is assigned, I "vi /etc/passwd" and yank the password field, then change the field back to "**NO WAY**, then ":e /etc/group" (edit new file) move to the password field of the group in question and use the put function of vi. At this point, the password you assigned earlier is now in affect for that group. I guess I left out two important steps, in the case of "/etc/passwd", make sure you write! the new file before calling "/etc/group", you don't want someone to even be capable to login as this user! Also, of course save the "/etc/group" file. As I said, this is the best way (for me) short of writing a special utility to change the group password. The above could be converted to a using the text processing utils, or "ed", it's really a matter of how often you plan to assign/change group passwords. john m mullins Disclaimer: ... Yah, yah, that's the ticket!
metro@asi.UUCP (Metro T. Sauper) (06/27/87)
In article <207@macom1.UUCP>, michael@macom1.UUCP (Michael Mullins) writes: > This may be a little novice sounding to all the experts on the net, but .... > I have found that the best way to assign a password to a group, short of > writing a special utility to assign one, is to force a password change from > 'root' on one of the system users like 'bin'. (Usualy the password field for > this user is set: "**NO WAY**" or "NOLOGIN", neither of which could be > processed properly by the login process.) > > Much more details. If I were editing /etc/group in vi and needed text for a password, I would try something like the following: :r ! echo "newpasswd" | /usr/lib/makekey Then I could move the new passwd text to where it was suppose to go. -- Metro T. Sauper, Jr. Assessment Systems, Inc. Director, Remote Systems Development 210 South Fourth Street (215) 592-8900 ..!asi!metro Philadelphia, PA 19106
nk233514@cisunx.UUCP (Deus) (07/01/87)
In article <207@macom1.UUCP> michael@macom1.UUCP (Michael Mullins) writes: [ Some other stuff ] > >Once the password is assigned, I "vi /etc/passwd" and yank the password >field, then change the field back to "**NO WAY**, then ":e /etc/group" >(edit new file) move to the password field of the group in question and use >the put function of vi. At this point, the password you assigned earlier is now >in affect for that group. > [ More Stuff ] One thing I'd like to pas along i to use vipw, not vi, to edit the passwd file. IF for some reason, you make a small mistake in vi, and corrupt the password file - vi will not catch it, but vipw will. vipw could save alot of trouble ! Deus
john@xanth.UUCP (John Owens) (07/06/87)
> One thing I'd like to pas along i to use vipw, not vi, to edit the passwd > file. > IF for some reason, you make a small mistake in vi, and corrupt the password > file - vi will not catch it, but vipw will. Also, vipw uses the file /etc/ptmp, whose presence "locks" the password file. If you didn't use vipw or something similar, and someone changed their password while you were editing the file, their change would be lost when you write your version of the passwd file. -- John Owens Old Dominion University - Norfolk, Virginia, USA john@ODU.EDU old arpa: john%odu.edu@RELAY.CS.NET +1 804 440 4529 old uucp: {seismo,harvard,sun,hoptoad}!xanth!john
allbery@ncoast.UUCP (07/07/87)
As quoted from <3671@cisunx.UUCP> by nk233514@cisunx.UUCP (Deus): +--------------- | In article <207@macom1.UUCP> michael@macom1.UUCP (Michael Mullins) writes: | >Once the password is assigned, I "vi /etc/passwd" and yank the password | One thing I'd like to pas along i to use vipw, not vi, to edit the passwd | file. +--------------- BSD has "vipw". Sys3, SysV, Xenix, etc. DON'T. (Someone want to come up with a PD version? --mailed to security@rutgers rather than posted, perhaps. It does decrypt passwords, I believe?) ++Brandon -- Brandon S. Allbery, moderator of comp.sources.misc and comp.binaries.ibm.pc ncoast Public Access UN*X, +1 216 781 6201 -- we have alt.all (email for info) aXcess Company cbosgd \ 6615 Center St. #A1-105 {ames,harvard,mit-eddie}!necntc > !ncoast!allbery Mentor, OH 44060-4101 {well,ihnp4,pyramid}!hoptoad / +1 216 974 9210 necntc!ncoast!allbery@harvard.harvard.edu
bob@acornrc.UUCP (Bob Weissman) (07/08/87)
In article <2812@ncoast.UUCP>, allbery@ncoast.UUCP (Brandon Allbery) writes: > BSD has "vipw". Sys3, SysV, Xenix, etc. DON'T. (Someone want to come up > with a PD version? --mailed to security@rutgers rather than posted, perhaps. > It does decrypt passwords, I believe?) 4.2bsd vipw doesn't decrypt passwords. It provides file locking on the passwd file and does a few sanity checks on the "root" entry. -- Bob Weissman Internet: bob@acornrc.UUCP UUCP: ...!{ ames | decwrl | oliveb | apple }!acornrc!bob Arpanet: bob%acornrc.UUCP@AMES.ARPA
mkhaw@teknowledge-vaxc.UUCP (07/08/87)
in article <399@acornrc.UUCP>, bob@acornrc.UUCP (Bob Weissman) says: -> -> In article <2812@ncoast.UUCP>, allbery@ncoast.UUCP (Brandon Allbery) writes: ->> BSD has "vipw". Sys3, SysV, Xenix, etc. DON'T. (Someone want to come up ->> with a PD version? --mailed to security@rutgers rather than posted, perhaps. ->> It does decrypt passwords, I believe?) -> -> 4.2bsd vipw doesn't decrypt passwords. It provides file locking on the -> passwd file and does a few sanity checks on the "root" entry. vipw creates a copy of /etc/passwd in /etc/ptmp and edits the latter by using $EDITOR, or vi if EDITOR is not set. The "passwd" program observes the restriction that if a file called /etc/ptmp exists, then it should not try to update /etc/passwd. Mike Khaw -- internet: mkhaw@teknowledge-vaxc.arpa usenet: {hplabs|sun|ucbvax|decwrl|sri-unix}!mkhaw%teknowledge-vaxc.arpa USnail: Teknowledge Inc, 1850 Embarcadero Rd, POB 10119, Palo Alto, CA 94303
nk233514@cisunx.UUCP (Deus) (07/10/87)
In article <2812@ncoast.UUCP> allbery@ncoast.UUCP (Brandon Allbery) writes: > >BSD has "vipw". Sys3, SysV, Xenix, etc. DON'T. (Someone want to come up >with a PD version? --mailed to security@rutgers rather than posted, perhaps. >It does decrypt passwords, I believe?) > Decrypt passwords ? I think not since trying to vipw a large passwd file would take alot of CPU time. DES generated passwords ain't that easy to decrypt, right ? After all, if they were, why would the passwd file be world readable on most machines ? Deus
gwyn@brl-smoke.ARPA (Doug Gwyn ) (07/13/87)
In article <3703@cisunx.UUCP> nk233514@cisunx.UUCP (Deus) writes: >After all, if they were, why would the passwd file be world readable on most >machines ? It contains user information (name<->UID mapping, for instance) that is of general use to nonprivileged applications. However, having the encrypted passwords publicly visible IS a botch, even though it seemed cute at the time. With modern technology it is not hard to discover several passwords in a reasonable amount of time if the encrypted passwords are available for inspection. What is needed is a trusted password verifier (which might maintain encrypted passwords as an extra level of safety, but would not have its password database readable by untrusted programs in any case). It would not be hard to design such a beast and adapt the few programs and routines ]that currently verify passwords. Somebody skilled in UNIX security should check any implementation of this idea, however, BEFORE it is used -- there are lots of loopholes that one must be aware of and deal with.
greywolf@unisoft.UUCP (The Grey Wolf @ ext 165) (07/22/87)
In article <2812@ncoast.UUCP> allbery@ncoast.UUCP (Brandon Allbery) writes: >As quoted from <3671@cisunx.UUCP> by nk233514@cisunx.UUCP (Deus): >+--------------- >| In article <207@macom1.UUCP> michael@macom1.UUCP (Michael Mullins) writes: >| >Once the password is assigned, I "vi /etc/passwd" and yank the password >| One thing I'd like to pas along i to use vipw, not vi, to edit the passwd >| file. >+--------------- > >BSD has "vipw". Sys3, SysV, Xenix, etc. DON'T. (Someone want to come up >with a PD version? --mailed to security@rutgers rather than posted, perhaps. >It does decrypt passwords, I believe?) -------- I don't know of a routine that decrypts passwords, as such a routine would be considered dangerous to system security. All vipw does is provide a locking mechanism of a very primitive nature so that nobody can run a passwd/chfn/chsh while vipw is in effect. The same is true of each of those programs...if one is writing to the passwd file, another will print the message "progname: passwd temp file busy." Hope that helped... The Grey Wolf -------------------------------------------------------------------------------- Faster than pure assembly code... More powerful than kill -9... able to unmount busy file systems in a single call... ______ it's a (long) word... / | | \ it's a (back)plane... \=#==#=/ \| |/ it's... \==/ \/ SUPERUSER!!!! ------------------------------------------------------------------------------
ron@topaz.rutgers.edu (Ron Natalie) (07/22/87)
Actually, it copies the file first and after you are done editing it makes sure that there is an account called root with a uid of zero and the requisite number of colons on the line and has a home directory of /. It also performs the job of rebuilding the dbm database in 4.3 that enables fast pwent lookups. Another feature is that it does an explicit chmod to 644 so that people with either extremely generous or paranoid umasks won't make the file writable or unreadable to the public. It would be nice if it checked the number of colons on all the lines, verified that the numeric fields were numeric, and checked for silly null entries that other programs make that end up being security bugs (like ::0:0:::) on some systems. -Ron
mpl@sfsup.UUCP (M.P.Lindner) (07/24/87)
In article <462@unisoft.UUCP>, greywolf@unisoft.UUCP (The Grey Wolf @ ext 165) writes: : In article <2812@ncoast.UUCP> allbery@ncoast.UUCP (Brandon Allbery) writes: : >As quoted from <3671@cisunx.UUCP> by nk233514@cisunx.UUCP (Deus): : >+--------------- : >| In article <207@macom1.UUCP> michael@macom1.UUCP (Michael Mullins) writes: : >| >Once the password is assigned, I "vi /etc/passwd" and yank the password : >| One thing I'd like to pas along i to use vipw, not vi, to edit the passwd : >| file. : >+--------------- : > : >BSD has "vipw". Sys3, SysV, Xenix, etc. DON'T. (Someone want to come up : >with a PD version? --mailed to security@rutgers rather than posted, perhaps. : >It does decrypt passwords, I believe?) : : -------- : : I don't know of a routine that decrypts passwords, as such a routine would : be considered dangerous to system security. : : All vipw does is provide a locking mechanism of a very primitive : nature so that nobody can run a passwd/chfn/chsh while vipw is in effect. : The same is true of each of those programs...if one is writing to the passwd : file, another will print the message "progname: passwd temp file busy." I may be coming into this discussion late, but if you're lloking for a way to get an encrypted password to put into /ect/group (which is what it sounds like the original poster had in mind, System V users can use "/usr/lib/makekey". It's in the manual. It takes a password and makes the ugly 14 character string out of it that you normally see in between the ::'s in /etc/passwd-like files.