SUMMARY: low uids and short passwords

From: Mark `Hex' Hershberger (mah@eecs.tulane.edu)
Date: Mon Sep 09 1996 - 18:08:24 CDT


Thanks to Jim Harmon, the only person to send me the following suggestion:

> One more thing, is your account in the operator, sys/ or root groups?
> It's possible that your personal account has override privalege to the
> passwd control options, just like root.

In fact that is what the answer was. The "problem" with a short password
being accepted was *not* due to

        o an incorrect setting in /etc/default/passwd
        o the low uid
        o changing the passwd as root (i.e. "passwd [user]")

These were the most suggested problems.

The answer is a bit more subtle. Remember that I am running Solaris 2.5,
which has an NIS+ aware passwd program. I created a test account with a
uid>1000 and put it in the NIS+ admin group. While logged in with this
test account, I was able to change its password to a one-letter password.

Immediatly after giving the test account a one-letter password, I changed
it back and removed it from the NIS+ admin group. I tried again to give
the test account a one-letter password, but was unable to.

Thus: accounts in the NIS+ admin group are able to assign themselves
whatever password they desire.

| _o ) mah@eecs.tulane.edu |
| Mark `Hex' Hershberger `\< New Orleans, LA ( |
| (*)/(*) c[] hex@eecs.tulane.edu |

As the flattery of friends corrupts, so often do the taunts of enemies
instruct. -- Augustine, "Confessions," IX, viii, 18



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:09 CDT