Serious security problem with yppasswdd
Viktor Dukhovni
viktor%fine.Princeton.EDU at princeton.edu
Wed Feb 1 22:01:58 AEST 1989
[[ I saw this on Sun-Nets and decided that many people here would also be
interested in seeing it. I changed the subject line to more accurately
reflect the message's content. --wnl ]]
Turn off your unpatched yppasswdd servers immediately!!! Anyone on the
internet can convince these to create a passwordless root account. I will
post the method in two weeks time unless strongly urged not to do so.
(This gives everyone plenty of time to get the SUN patch tape, or turn
off yppasswdd. I do believe though in giving people a chance to take
action before compromising whatever measure of security they have left.)
Viktor.
[[ This bug apparently exists in all known yp implementations: 3.x, 4.0,
4.0.1, and even implementations that aren't Sun's. Our system manager
called Sun for a patch tape, but I haven't heard yet if they even returned
her call or acknowledged that such a tape exists. --wnl ]]
More information about the Comp.sys.sun
mailing list