mailing list archives
Re: passwd command in AIX 4.1.4
From: chris () whitman gmu edu (Chris Burris)
Date: Mon, 5 Feb 1996 20:55:40 -0500
On Mon, 5 Feb 1996, Dave Roberts wrote:
The passwd command under AIX 4.1.4 does not ask for the old password if
you are root, even if you are changing root's password. To me this is a
serious security flaw, but I haven't had any satisfaction from IBM or my
suppliers (that said they would pass on my opinion).
I am assuming that IBM wasn't aware of the sysadmin who leave the console
for a few minutes. Linux also has this ''problem''. I suspect since the
passwd code was designed so that root could change any users passwd,
therewasn't a provision to check to see if root was changing root's passwd.
Still. This could be easily bypassed by simply editing the /etc/passwd file.
Setting the passwd field to null.
Violation Communications Inc.
chris () violation ml org
Re: bind() Security Problems Casper Dik (Feb 02)