Do not use blank lines in /etc/passwd
Chris Torek
chris at umcp-cs.UUCP
Thu Oct 30 20:01:44 AEST 1986
>In article <4701 at brl-smoke.ARPA> hoey at NRL-AIC.arpa (Dan Hoey) writes:
>>At least in vanilla 4.2, having blank lines anywhere in your password
>>file opens a security hole that I will forbear to discuss on this list.
>>... If you want to insert blank lines for readability (which is
>>how I discovered the bug) use nearly-blank lines like
>>
>>x:*:0:0: ::
In article <2837 at rsch.WISC.EDU> mcvoy at rsch.WISC.EDU (Lawrence W. McVoy) writes:
>Umm, could be sort of a security hole in itself. . . .
Not as bad as the original blank-line problem.
In fact, if you insert a line of the form
:*:0:0:::
near the top of the file, this provides an ugly sort-of-workaround to
the original problem. The *real* problem is that the C library
getpwent() routine is not careful, and that passwd is not careful
about getpwent().
--
In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7690)
UUCP: seismo!umcp-cs!chris
CSNet: chris at umcp-cs ARPA: chris at mimsy.umd.edu
More information about the Comp.unix.wizards
mailing list