On Thu, Jun 22, 2000 at 02:09:29PM -0400, Paul Lussier <[EMAIL PROTECTED]> wrote:
>
> In a message dated: Thu, 22 Jun 2000 13:41:01 EDT
> Bob Bell said:
>
> >On Thu, Jun 22, 2000 at 01:28:03PM -0400, Paul Lussier <[EMAIL PROTECTED]> wrote
> >:
> >> No, but you could su to pll, then use yppasswd to change my password and
> >> thereby gain access to my sudo priviledges, which most likely give you any
> >> access you need on any machine at all. All this would be mostly impossible
> >if
> >> root access weren't compromised in the first place.
> >
> > I'm still curious how being root on my machine can lead to getting
> >access to another users files on their machine or a common server. On
> >Tru64, at least, yppasswd asks for the old NIS password. Wouldn't
> >this prevent me from gaining access unless I actuall know the current
> >password?
>
> Does it ask you for the old NIS passwd if you:
>
> bell@foo> su
> root@foo> yppasswd pll
>
> ?
Yes, in fact it still does. I need to know the old user password
to change the password, even when logged in as root locally. It asks
for the old NIS passwd even if I'm logged in as the user for which I
want to change the password.
Tru64 has a man page for yppasswd in section 3, which says in
part.
yppasswd(oldpass, newpw)
char *oldpass;
struct passwd *newpw;
If oldpass is indeed the old user password, this routine replaces the
password entry with newpw.
> Linux only asks you for the root password, which you already know, it does not
> ask you for the users old passwd. Solaris doesn't even ask you for that,
> since it knows you're root, you must be okay :)
Yikes! That doesn't sound good.
I wonder if communicating to yppasswdd is secure on Tru64 as well?
--
Bob Bell Compaq Computer Corporation
Software Engineer 110 Spit Brook Rd - ZKO3-3/U14
TruCluster Group Nashua, NH 03062-2698
[EMAIL PROTECTED] 603-884-0595
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
