Bugtraq mailing list archives

Re: finger-bombing

From: Brad.Powell () EBay Sun COM (Brad Powell)
Date: Fri, 14 Oct 94 09:09:25 PDT


----------
X-Sun-Data-Type: text
X-Sun-Data-Description: text
X-Sun-Data-Name: text
X-Sun-Content-Lines: 19


Charles Howes writes:

How *do*
 you set up shadow passwords, anyway?


upgrade to solaris 2.3 :-) :-) :-).
Seriously, see attached below.

=======================================================================
Brad Powell : brad.powell () Sun COM        | 
                                         |
Full Time: Sr. Network Security Analyst  |Part time: Cyberspace PI
           ENS Network Security Group    |           and Consultant
           Sun Microsystems Inc.         |
=======================================================================
               The views expressed are those of the author and may
                  not reflect the views of Sun Microsystems Inc.
=======================================================================
----------
X-Sun-Data-Type: shell-script
X-Sun-Data-Description: shell-script
X-Sun-Data-Name: mkshadow
X-Sun-Content-Lines: 170

#!/bin/sh
#
# $RCSfile: mkshadow,v $ $Revision: 1.6 $
# $Date: 90/04/28 23:44:31 $
# $Author: leadley $
# $CHECK: bpowell 90-06-30
#
# Usage: mkshadow [-f]
#
#       -f (force)      skip the sanity check
#
#       Start using the SunOS 4.n shadow password file without bothering with
# the C2 auditing.  This script is a little more paranoid that the Sun
# supplied C2conv:
#
#                                               C2conv                  mkshadow
#                                               ------                  --------
#       /etc/passwd.bak                 owner   ?previous owner?        root
#                                       group   ?previous group?        wheel
#                                       mode    ?previous mode?         400
#       /etc/security/                  owner   root                    root
#                                       group   usually staff           wheel
#                                       mode    2711 or 711             2711
#       /etc/security/passwd.adjunct    owner   root                    root
#                                       group   usually staff           wheel
#                                       mode    640                     600
#
# It wouldn't be terrible to make the mode of /etc/security/ 2700, but that
# would break issecure(3) for ordinary folks.
#
#       C2conv also sets up a shadow password file for /etc/group, but why
# bother?  If you are feeling energetic and want to maintain two group files,
# read group.adjunct(5).
#
#       Caveat emptor.  READ THE SCRIPT. If you trust me to have figured out
# all the ways you could have screwed things up, you're crazy.  Use at your
# own risk.  Lawyers will be shot on sight.  Etcetera.
#
#       Scott Leadley, University of Rochester, 4/24/90
#
# PS  Why doesn't lockscreen work with a shadow password file?
PATH=/usr/bin:/usr/ucb:/usr/etc
export PATH

usage() {
        echo "usage: $1 [-f]"
}

fail() {
        echo "$1" 1>&2
        echo "Shadow password file creation failed." 1>&2
        exit 1
}

FALSE=1
TRUE=0
#
#
case $# in
0)      ;;
1)      if [ "$1" != "-f" ]; then
                fail "`usage $0`"
        fi
        ;;
*)      fail "`usage $0`"
        ;;
esac
#
#       You must do this as root.
if [ `whoami` != root ]; then
        fail "Root must run this program."
fi
#
#       The C2 security package must be installed (or at least rpc.pwdauthd).
if [ ! -x /usr/etc/rpc.pwdauthd ]; then
        fail "The C2 security package is not installed.  It is a prerequisite."
fi
#
#       Minor sanity check: is the current password file secure enough for
# the shadow password file to do any good?  I'm not your Mom, so don't expect
# this check to be very thorough.
if [ "$1" != "-f" ]; then
        #       Check that, at the very least, /, /etc and /etc/passwd aren't
        # writeable by everyone.
        if ls -lgd / | awk '{if($1~/-.$/) exit 1;}'; then
                fail "Anyone can write to /.  Fix this more basic security problem first."
        fi
        if ls -lgd /etc | awk '{if($1~/-.$/) exit 1;}'; then
                fail "Anyone can write to /etc.  Fix this more basic security problem first."
        fi
        if ls -lgd /etc/passwd | awk '{if($1~/-.$/) exit 1;}'; then
                fail "Anyone can write to /etc/passwd.  Fix this more basic security problem first."
        fi
fi

#
#       There must be a /etc/security directory to put passwd.adjunct in.
pwdauthd_started_by_hand=$FALSE
if [ ! -d /etc/security ]; then
        mkdir /etc/security
        #       The SunOS 4.0.3 supplied /etc/rc.local starts rpc.pwdauthd only
        # if /etc/security/passwd.adjunct exists.
        ( cd /; rpc.pwdauthd & )
        pwdauthd_started_by_hand=$TRUE
        echo "rpc.pwdauthd started.  Started by /etc/rc.local from now on."
fi
#
#       The idly curious are denied satisfaction.
chown root.wheel /etc/security
chmod 711 /etc/security; chmod g+s /etc/security
#
#       Create a null /etc/security/passwd.adjunct file.
if [ ! -f /etc/security/passwd.adjunct ]; then
        touch /etc/security/passwd.adjunct
        if [ $pwdauthd_started_by_hand -eq $FALSE ]; then
                #       /etc/security/ existed, but passwd.adjunct didn't ...
                # interesting.
                ( cd /; rpc.pwdauthd & )
                pwdauthd_started_by_hand=$TRUE
                echo "rpc.pwdauthd started.  Started by /etc/rc.local from now on."
        fi
else
        fail "/etc/security/passwd.adjunct already exists!"
fi
#
#       It should be impervious to inspection by anyone but root (I wish).
chown root.wheel /etc/security/passwd.adjunct
chmod 600 /etc/security/passwd.adjunct
#
#       The old password file (with passwords still in it) should be locked up.
cp /etc/passwd /etc/passwd.bak
if [ $? -ne $TRUE ]; then
        fail "Couldn't create /etc/passwd.bak.  Too dangerous to proceed."
fi
chown root.wheel /etc/passwd.bak
chmod 400 /etc/passwd.bak
#
#       Assume that whatever owner, group and mode are current on /etc/passwd
# make you happy and leave it alone.
#
#       Split up the old password file.  One twist (I don't know why, but just
# to be consistent with C2conv) is that "audit:*:::::all" is the first line in
# the passwd.adjunct file.  Dealing with NIS (YP) passwd entries and determining
# if NIS is actually running is just too damn complicated, so punt.  NIS
# passwd entries are left as is.
EDITOR=ex
export EDITOR
vipw >/dev/null <<EOF
1,\$! awk -F: '{printf "\%s:\%s:::::\n", \$1, \$2;}'
/^audit:/d
1put
1d
1put
1s/\$/all/
g/^+/d
w! /etc/security/passwd.adjunct
e!
1,\$! awk -F: '{if(\$1~/^\+/)print;else printf "\%s:\#\#\%s:\%s:\%s:\%s:\%s:\%s\n", \$1, \$1, \$3, \$4, \$5, \$6, \$7;}'
w!
q
EOF
egrep '^\+' /etc/passwd >/dev/null
if [ $? -eq $TRUE ]; then
        echo "NIS (YP) passwd entries need to be added to the shadow password file by hand."
fi
#
#       Reminder to comment out the auditd startup in /etc/rc.local.
echo "Remember to comment out or delete the auditd startup in /etc/rc.local:"
echo
sed -n "/auditd/,/fi/s/^/   /p" /etc/rc.local

Current thread:

Re: finger-bombing Nayfield, Rod (Oct 13)
- Re: finger-bombing Breakdown (Oct 14)
  - Re: finger-bombing Pete Shipley (Oct 14)
- <Possible follow-ups>
- Re: finger-bombing Bill Heiser (Oct 14)
- Re: finger-bombing Brad Powell (Oct 14)
- Re: finger-bombing Richard A Childers (Oct 14)
- Re: finger-bombing Mark C. Henderson (Oct 14)
- Re: finger-bombing Mark C. Henderson (Oct 14)
- Re: finger-bombing Rik Farrow 602 282 0242 MST (Oct 15)
- Re[2]: finger-bombing Nayfield, Rod (Oct 17)