Bugtraq mailing list archives
Re: Weakness in some linux versions of adduser.
From: alan () manawatu gen nz (Alan Brown)
Date: Mon, 9 Dec 1996 18:58:25 +1300
On Sun, 8 Dec 1996, Dan Merillat wrote:
Aside from glaring buffer overflows (which are unimportant, as only administration should have access to the adduser script) I do notice an interesting statistical weakness in adduser... namely, the salt generation.
The revised adduser perl script used in the "shadows-ina-box" Linux shadowing kit uses passwd to set the password, probably for this reason. I've spent the weekend ironing vrious bugs out of the 1.2 version and tidying up the adduser perl script in the package - it enables paranoid mode in many of the programs compiled, but adduser doesn't have questions added about whether a user should be allowed pop3 access, plus has a non-elegant failure mode if the defaults file isn't there. I've mailed the various fixes and patches done to the shadow kit's maintainer and the rest is up to him. Meantime, if anyone wants to grab and comment on what I've got so far, there's a scrappy copy sitting at ftp://news.manawatu.gen.nz/pub/shadow-ina-box-1.2.1.src.tar.gz Among other things, we've more than doubled the Cracklib dictionary size (to 7Mb) and replaced wuftpd with a version that actually compiles on ELF systems. The Install and Build scripts need some work, as does the modify program (hits inetd.conf). AB
Current thread:
- Re: Weakness in some linux versions of adduser. Alan Brown (Dec 08)
- <Possible follow-ups>
- Re: Weakness in some linux versions of adduser. Adam Powers (Dec 08)
- Re: Weakness in some linux versions of adduser. Scriptors of DOOM (Dec 08)