Bugtraq mailing list archives
Re: finger-bombing
From: Brad.Powell () EBay Sun COM (Brad Powell)
Date: Fri, 14 Oct 94 09:09:25 PDT
---------- X-Sun-Data-Type: text X-Sun-Data-Description: text X-Sun-Data-Name: text X-Sun-Content-Lines: 19 Charles Howes writes:
How *do* you set up shadow passwords, anyway?
upgrade to solaris 2.3 :-) :-) :-). Seriously, see attached below. ======================================================================= Brad Powell : brad.powell () Sun COM | | Full Time: Sr. Network Security Analyst |Part time: Cyberspace PI ENS Network Security Group | and Consultant Sun Microsystems Inc. | ======================================================================= The views expressed are those of the author and may not reflect the views of Sun Microsystems Inc. ======================================================================= ---------- X-Sun-Data-Type: shell-script X-Sun-Data-Description: shell-script X-Sun-Data-Name: mkshadow X-Sun-Content-Lines: 170 #!/bin/sh # # $RCSfile: mkshadow,v $ $Revision: 1.6 $ # $Date: 90/04/28 23:44:31 $ # $Author: leadley $ # $CHECK: bpowell 90-06-30 # # Usage: mkshadow [-f] # # -f (force) skip the sanity check # # Start using the SunOS 4.n shadow password file without bothering with # the C2 auditing. This script is a little more paranoid that the Sun # supplied C2conv: # # C2conv mkshadow # ------ -------- # /etc/passwd.bak owner ?previous owner? root # group ?previous group? wheel # mode ?previous mode? 400 # /etc/security/ owner root root # group usually staff wheel # mode 2711 or 711 2711 # /etc/security/passwd.adjunct owner root root # group usually staff wheel # mode 640 600 # # It wouldn't be terrible to make the mode of /etc/security/ 2700, but that # would break issecure(3) for ordinary folks. # # C2conv also sets up a shadow password file for /etc/group, but why # bother? If you are feeling energetic and want to maintain two group files, # read group.adjunct(5). # # Caveat emptor. READ THE SCRIPT. If you trust me to have figured out # all the ways you could have screwed things up, you're crazy. Use at your # own risk. Lawyers will be shot on sight. Etcetera. # # Scott Leadley, University of Rochester, 4/24/90 # # PS Why doesn't lockscreen work with a shadow password file? PATH=/usr/bin:/usr/ucb:/usr/etc export PATH usage() { echo "usage: $1 [-f]" } fail() { echo "$1" 1>&2 echo "Shadow password file creation failed." 1>&2 exit 1 } FALSE=1 TRUE=0 # # case $# in 0) ;; 1) if [ "$1" != "-f" ]; then fail "`usage $0`" fi ;; *) fail "`usage $0`" ;; esac # # You must do this as root. if [ `whoami` != root ]; then fail "Root must run this program." fi # # The C2 security package must be installed (or at least rpc.pwdauthd). if [ ! -x /usr/etc/rpc.pwdauthd ]; then fail "The C2 security package is not installed. It is a prerequisite." fi # # Minor sanity check: is the current password file secure enough for # the shadow password file to do any good? I'm not your Mom, so don't expect # this check to be very thorough. if [ "$1" != "-f" ]; then # Check that, at the very least, /, /etc and /etc/passwd aren't # writeable by everyone. if ls -lgd / | awk '{if($1~/-.$/) exit 1;}'; then fail "Anyone can write to /. Fix this more basic security problem first." fi if ls -lgd /etc | awk '{if($1~/-.$/) exit 1;}'; then fail "Anyone can write to /etc. Fix this more basic security problem first." fi if ls -lgd /etc/passwd | awk '{if($1~/-.$/) exit 1;}'; then fail "Anyone can write to /etc/passwd. Fix this more basic security problem first." fi fi # # There must be a /etc/security directory to put passwd.adjunct in. pwdauthd_started_by_hand=$FALSE if [ ! -d /etc/security ]; then mkdir /etc/security # The SunOS 4.0.3 supplied /etc/rc.local starts rpc.pwdauthd only # if /etc/security/passwd.adjunct exists. ( cd /; rpc.pwdauthd & ) pwdauthd_started_by_hand=$TRUE echo "rpc.pwdauthd started. Started by /etc/rc.local from now on." fi # # The idly curious are denied satisfaction. chown root.wheel /etc/security chmod 711 /etc/security; chmod g+s /etc/security # # Create a null /etc/security/passwd.adjunct file. if [ ! -f /etc/security/passwd.adjunct ]; then touch /etc/security/passwd.adjunct if [ $pwdauthd_started_by_hand -eq $FALSE ]; then # /etc/security/ existed, but passwd.adjunct didn't ... # interesting. ( cd /; rpc.pwdauthd & ) pwdauthd_started_by_hand=$TRUE echo "rpc.pwdauthd started. Started by /etc/rc.local from now on." fi else fail "/etc/security/passwd.adjunct already exists!" fi # # It should be impervious to inspection by anyone but root (I wish). chown root.wheel /etc/security/passwd.adjunct chmod 600 /etc/security/passwd.adjunct # # The old password file (with passwords still in it) should be locked up. cp /etc/passwd /etc/passwd.bak if [ $? -ne $TRUE ]; then fail "Couldn't create /etc/passwd.bak. Too dangerous to proceed." fi chown root.wheel /etc/passwd.bak chmod 400 /etc/passwd.bak # # Assume that whatever owner, group and mode are current on /etc/passwd # make you happy and leave it alone. # # Split up the old password file. One twist (I don't know why, but just # to be consistent with C2conv) is that "audit:*:::::all" is the first line in # the passwd.adjunct file. Dealing with NIS (YP) passwd entries and determining # if NIS is actually running is just too damn complicated, so punt. NIS # passwd entries are left as is. EDITOR=ex export EDITOR vipw >/dev/null <<EOF 1,\$! awk -F: '{printf "\%s:\%s:::::\n", \$1, \$2;}' /^audit:/d 1put 1d 1put 1s/\$/all/ g/^+/d w! /etc/security/passwd.adjunct e! 1,\$! awk -F: '{if(\$1~/^\+/)print;else printf "\%s:\#\#\%s:\%s:\%s:\%s:\%s:\%s\n", \$1, \$1, \$3, \$4, \$5, \$6, \$7;}' w! q EOF egrep '^\+' /etc/passwd >/dev/null if [ $? -eq $TRUE ]; then echo "NIS (YP) passwd entries need to be added to the shadow password file by hand." fi # # Reminder to comment out the auditd startup in /etc/rc.local. echo "Remember to comment out or delete the auditd startup in /etc/rc.local:" echo sed -n "/auditd/,/fi/s/^/ /p" /etc/rc.local
Current thread:
- Re: finger-bombing Nayfield, Rod (Oct 13)
- Re: finger-bombing Breakdown (Oct 14)
- Re: finger-bombing Pete Shipley (Oct 14)
- <Possible follow-ups>
- Re: finger-bombing Bill Heiser (Oct 14)
- Re: finger-bombing Brad Powell (Oct 14)
- Re: finger-bombing Richard A Childers (Oct 14)
- Re: finger-bombing Mark C. Henderson (Oct 14)
- Re: finger-bombing Mark C. Henderson (Oct 14)
- Re: finger-bombing Rik Farrow 602 282 0242 MST (Oct 15)
- Re[2]: finger-bombing Nayfield, Rod (Oct 17)
- Re: finger-bombing Breakdown (Oct 14)