prl@eiger.uucp (02/01/89)
There is a hole in chfn(1) and chsh(1) which allows normal users to create user-id 0 entries in /etc/passwd with no password. This allows them to become root (superuser) on the machine. The workaround is to disable these commands for normal users. The workaround is different for SunOS 3.x and 4.x . You will need to be root to apply this workaround. We have been using this workaround at IIS since about the middle of January without any problems. The workaround causes users without root privilege to be unable to use passwd -f, passwd -s (4.x only), chfn and chsh. I have submitted this patch to Sun Switzerland as a followup to my bug report on this problem. A better fix if you have source to apply Keith Bostic's fixes to passwd.c and install that. SunOS 3.x: ########## chmod 755 /usr/ucb/chfn /usr/ucb/chsh (this may produce the error message chmod: /usr/ucb/chfn: No such file or directory this means that your system doesn't have chfn) SunOS 4.0: ########## <barossa> cp /bin/passwd . <barossa> strings -o passwd | egrep '(fsF:|chfn|chsh)$' 17128 chfn 17133 chsh 17174 fsF: 18402 chsh 18451 chfn <barossa> adb -w - passwd not core file = passwd * 0t17128/s 0x42e8: chfn * ./w 0 0x42e8: 0x6368 = 0x0 * 0t17133/s 0x42ed: chsh * ./w 0 0x42ed: 0x6368 = 0x0 * 0t17174/s 0x4316: fsF: * /X 0x4316: 6673463a * ./W 0x463a0000 0x4316: 0x6673463a = 0x463a0000 * 0t18402/s 0x47e2: chsh * ./w 0 0x47e2: 0x6368 = 0x0 * 0t18451/s 0x4813: chfn * ./w 0 0x4813: 0x6368 = 0x0 * $q <barossa> strings -o passwd | egrep '(fsF:|chfn|chsh)$' <barossa> mv /bin/passwd /bin/passwd.old <barossa> cp ./passwd /bin/passwd <barossa> chmod 4755 /bin/passwd <barossa> chmod 755 /bin/passwd.old /bin/chfn /bin/chsh Notes: Lines starting <barossa> are typed as shell commands. Lines starting with `*' are input lines to `adb' (don't type the *!). All other lines are computer output. The second call of `strings' should produce no output. The numbers above (output from strings and input to adb) are for SunOS 4.0.1. Use the corresponding numbers produced by strings on your system if they are different. Peter Lamb uucp: seismo!mcvax!ethz!prl Tel: (01) 256 5241 (Switzerland) eunet: prl@iis.ethz.ch +411 256 5241 (International) Integrated Systems Laboratory ETH-Zentrum 8092 Zurich