Home page logo

bugtraq logo Bugtraq mailing list archives

Re: passwd command in AIX 4.1.4
From: chris () whitman gmu edu (Chris Burris)
Date: Mon, 5 Feb 1996 20:55:40 -0500

On Mon, 5 Feb 1996, Dave Roberts wrote:

The passwd command under AIX 4.1.4 does not ask for the old password if
you are root, even if you are changing root's password.  To me this is a
serious security flaw, but I haven't had any satisfaction from IBM or my
suppliers (that said they would pass on my opinion).

I am assuming that IBM wasn't aware of the sysadmin who leave the console
for a few minutes. Linux also has this ''problem''. I suspect since the
passwd code was designed so that root could change any users passwd,
therewasn't a provision to check to see if root was changing root's passwd.
Still. This could be easily bypassed by simply editing the /etc/passwd file.
Setting the passwd field to null.

Chris Burris
Violation Communications Inc.
chris () violation ml org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]