Subject: Re: cvs commit: src/lib/libc/db/hash hash_buf.c
To: None <tech-userlevel@NetBSD.ORG, tech-kern@NetBSD.ORG, netbsd-users@NetBSD.ORG>
From: Jon Ribbens <jon@oaktree.co.uk>
List: tech-userlevel
Date: 10/18/1996 16:53:57
Bill Sommerfeld wrote:
> This whole thread is silly.
> 
> The data in question (encrypted passwords) is stored in a certain file
> which is mode 0600 owned by root.
> 
> It makes no sense to go to extreme measures to make it more protected
> than that, especially since (in this case) the FTP server presumably
> just received the (infinitely more dangerous) *plaintext* password in
> the clear over the net.  It's probably still lurking about in the
> stdio buffers...

The ftpd starts out as root, fetches the passwords, and then the
user can make it setuid to themselves by typing their user-name
and password. They can then make it core-dump (using 'kill') and
read the encrypted passwords. I tried it just now and it worked.
Hence this thread is not silly. Anyone with a shell account on
a machine can trivially gain access to the shadow password file.

I'd appreciate it if whoever it was who patched their kernel to
not core-dump programs which *used to be* SUID could post their
patch here.

Cheers


Jon

PS. Actually, it didn't work, because I'm using wu-ftpd. When
    I switched back to the standard NetBSD 1.1 ftpd for a sec to
    check it, it did work. wu-ftpd catches every signal under the
    sun and doesn't core-dump on them. This is obviously not
    a very nice solution.

PPS. Sorry if this is on the wrong lists, but the NetBSD lists
     are set-up weirdly it seems and replying to the message
     didn't send it to the list like it should've. I'm not sure
     what lists the thread was on now.
____
\  //    Jon Ribbens    //
 \// jon@oaktree.co.uk //