home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  


Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 8.1 Dangerous Accounts Chapter 8
Defending Your Accounts
Next: 8.3 Restricting Logins
 

8.2 Monitoring File Format

Most programs that access the /etc/passwd and /etc/group files are very sensitive to problems in the formatting of those files, or to bad values. Because of the compact representation of the file, entries that are badly formatted could be hidden.

Traditionally, a number of break-ins to UNIX systems occurred when a program that was designed to write to the /etc/passwd file was given bad input. For instance, early versions of the chfn and yppasswd commands could be given input with ":" characters or too many characters. The result was a badly formatted record to write to the /etc/passwd file. Because of the way the records were written, the associated library routines that wrote to the file would truncate or pad the entries, and might produce an entry at the end that looked like:

::0:0:::

This type of entry would then allow a local user to become a superuser by typing:

$ su ''
#

(The above example changes the user to the null-named account.) Clearly, this result is undesirable.

You should check the format of both the passwd and group files on a regular basis. With many versions of UNIX with System V ancestry, there are two commands on the system that will check the files for number of fields, valid fields, and other consistency factors. These two programs are pwck and grpck ; they are usually found in /etc or /usr/sbin .

Also on SVR4 systems is the logins command. When issued with the -p option, it will check for any accounts without a password. When issued with the -d option, it will check for duplicate IDs - including accounts that have an ID of 0 in addition to the root account.

If you do not have access to these commands, you can write your own to do some of these same checks. For instance:

# awk -F: 'NF != 7 || $2 == 0 { print "Problem with" $0}' /etc/passwd