Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Netinfo Manager

From: Gene Cronk <gcronk () trsg net>
Date: Tue, 23 Sep 2003 15:31:04 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wouldn't chown root nidump and chmod 700 nidump fix this?

Matteo wrote:

| Hi,
|
| I'm using Mac OS 10.2.8 Server and today I was quite surprised to see
| that a normal user on my server can obtain the encrypted passwords of
| all the user just using the command "nidump password .":
|
| bash-2.05a$ nidump passwd .
| nobody:*:-2:-2::0:0:Unprivileged User:/dev/null:/dev/null
| root:*EncryptedPass:0:0::0:0:System Administrator:/var/root:/bin/tcsh
| ...
|
| Isn't this a security flaw? Is Apple going to fix it in the next release
| of Mac OS X (Panther)? Now, how to prevent users to see the passwords of
| the other users?
|
| Thanks
|
|
|
- --------------------------------------------------------------------------- 
|
- ---------------------------------------------------------------------------- 

|
|
|
|
| !DSPAM:3f709da5377046336910753!
|
|

- --
Gene Cronk MCP,iNet+ (gcronk () trsg net)
The Robin Shepherd Group -- Systems Administrator
Office (904)-359-0981 Ext. 36
Cell (386)-795-3081
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/cJ93KFvyxVTltrARAgFaAJ9iH3CQm6BIDC+Za2TYciXDohCGXgCfUUaw
pcUqSXUwz4XbbjWN7Ncq/UM=
=pimM
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: