leadley@uhura.cc.rochester.edu (Scott Leadley) (07/20/90)
There is no locking mechanism for /etc/security/passwd.adjunct. This leaves open the possibility of two (or more) people editing the file simultaneously. Also, using vipw does not block password updates (it should give the message "passwd: password file busy - try again.") and leaves open another avenue for simultaneous updates. This is in addition to some substantial implementation errors (in 4.0.3): - passwd doesn't use the ##tag as the index into the passwd.adjunct file, but uses the username instead. - the "secure" designation in /etc/ttytab is ignored when booting and shutting down. The root password is always requested. If Sun is serious about their C2 security, these problems should be fixed ASAP. Scott Leadley - leadley@cc.rochester.edu