Re: Mac OS 9 Multiple Users Control Panel Password Vulnerability

["K. M. Ellis" <protozoa () TUX ORG>]

On Fri, 29 Dec 2000, Todd Kirby wrote:

> Mac OS 9.04 comes with a 'Multiple Users' Control
> Panel that allows an administrator (called 'Owner') to
> create user accounts (called 'Normal' users) with
> limited access to the computer.

I'd like to point out that if your Mac is configured to share out
your system folder with any level of access, you're screwed regardless of
which OS version you're running.

As far back as OS 7.6.1 (and probably earlier) your Users and Groups
preferences file has all user and administrator passwords encoded using
wimpy 40-bit DES encryption.  You don't want any users getting into it.

Thanks for taking the time to point this vulnerability out, but I consider
it yet _another_ reason not to share out the system folder.

It should also be stated that this vulnerability probably applies to Mac
9.x systems running Appleshare IP, although I have no way to test this.

Respectfully submitted,

-K

--
  Kathleen M. Ellis, P.A.B.  -- KB3CWP -- http://www.tux.org/~protozoa
   Technology.  Politics.  Get a clue.  http://www.cluebot.com
        "Muhammad Ali, one of my very few heroes, once took
         the time to explain to me that 'there are no jokes.
         The truth is the funniest joke of all.'  Ho ho.  It
         takes a special kind of mindset to believe that and
         still have smart people call you Funny.  I have never
         quite understood it."
                                Hunter S. Thompson
                                _Fear and Loathing in America_