How secure is UNIX?

Jonathan I. Kamens jik at athena.mit.edu
Sun Jun 10 18:30:06 AEST 1990 

In article <720016 at hpclapd.HP.COM> defaria at hpclapd.HP.COM (Andy
DeFaria) writes:
>I  thought I explained  this.  IMHO  /etc/passwd should  NOT   be  publicly
>readable.   If this were  true then you   couldn't ftp as  root because you
>wouldn't even know the encrypted password, which, IMHO, you  shouldn't have
>access to.

  Oh, jolly good.  So now you're proposing to take all the passwords
(or, at least, encrypted passwords) and put them in an /etc/shadow
file, but other than the fact that the file isn't world-readable, the
rest of the scenario I described is correct, right?

  In that case, you're basing the entire security of your system on
the readability or non-readability of one file.  Do you know how many
ways there are in Unix to read a file you're not supposed to be able
to read?  Or to read portions of that file?

  The elegance of the standard Unix security mechanism is that, given
well-chosen and moderately-frequently-changed passwords, it doesn't
*matter* whether or not someone can read the /etc/passwd file, because
doing so *does not enable them to break the security of your system*,
at least not in the short term.

  Under the system you propose, you've completely eliminated that
elegance.  Indeed, if the password file isn't world-readable, then why
not just store the plaintext password in it, and not the encrypted
password?  After all, according to what you're saying, all you need to
do to verify that someone is who they say they are is to compare the
string they give you to the string in a file that isn't
world-readable, so why bother with the encryption?

  One more note -- this wole discussion started when someone suggested
that people be allowed to store their encrypted passwords in the
.netrc file, rather than their plaintext passwords, to prevent people
who managed to read their .netrc file from using it to gain access to
other systems.  Your proposal doesn't fix that problem, because, as
I've already said, if the encrypted password is what is used for the
authentication, then if I can read your .netrc, I can still use its
contents to break into your other accounts.

Jonathan Kamens			              USnail:
MIT Project Athena				11 Ashford Terrace
jik at Athena.MIT.EDU				Allston, MA  02134
Office: 617-253-8495			      Home: 617-782-0710

More information about the Comp.unix.questions mailing list