Re: etc/passwd file

From: Bill Unruh (unruh@string.physics.ubc.ca)
Date: 10/29/02 

From: unruh@string.physics.ubc.ca (Bill Unruh)
Date: 29 Oct 2002 19:22:10 GMT

david20@alpha2.mdx.ac.uk (David Webb) writes:

]Since it could have been easily fixed if they had been aware of the problem
]then as I said before this was a bad design decision. I'm not blaming them
]- Dennis Ritchie and Ken Thompson were not designing an OS which was meant to
]be secure and last for 30+ years.

It is simply an idication that security is far more than technology.
replacements were available certainly by 85. But so many systems had
been set up by then, with for example getpass routines which only kept
the first 8 letters, that the weight of history proved far far stronger
than the requirement for security.

]The trouble is that there are still Unix systems out there relying just on
]/etc/passwd - no shadow password file or other protections.

So? There are systems out there which have no passwords at all (most Win
xx systems,) and systems with very poor password security ( the rest of
the Win systems) used by billions, and designed in the past 5 years.
/etc/passwd all by itself is still stronger than the security in most
systems. It is still rare that breakins happen via /etc/password. Far
far more often they are due to programming holes, buffer overflows,
deliberate insecure design choices, etc. It has been an amazingly
successful design, especially considering that the idea of an open
password file was considered heretical at the time.

Relevant Pages

  • Re: Security and EOL issues
    ... OS software resources are designed that reserved ram and disk space among other resources, to reflect what current hardware size is available. ... (There was a security patch a few years ago that could not be applied to NT4 as it required more resources then NT4 could provide. ... Installing air bags requires that the automobile manufacturer design, test, ... Computer Emergency Response Teams, and Digital Investigations. ...
    (Security-Basics)
  • Re: I need a system the U.S. government cannot hack
    ... By way of a further excuse, using words such as 'hack', 'government' or ... The security requirements are driven in part by the costs associated with ... The bulk of the cost of box and wire systems is in the infrastructure --> ... While I can, and will, and am trying, to move ahead with my own design, ...
    (microsoft.public.security)
  • Re: I need a system the U.S. government cannot hack
    ... By way of a further excuse, using words such as 'hack', 'government' or ... The security requirements are driven in part by the costs associated with ... The bulk of the cost of box and wire systems is in the infrastructure --> ... While I can, and will, and am trying, to move ahead with my own design, ...
    (microsoft.public.security)
  • Re: Well Andrew, "3" count them "3" security patches for VMS in five
    ... Whenever you discuss security with VMS guys ... be a fully patented methodology by OpenVMS Engineering. ... calling standard which rules out "by design" the primary cause of ... - design privilege assignments to be attached to a mode. ...
    (comp.os.vms)
  • Re: Microsoft finally acknowledges the security drumbeats
    ... > was formerly in charge of design for VMS (a quite securely designed OS, ... intel/alpha/mips/powerpc) and easy security audit (which is no more: ... Even Ford doesn't give you a whole new car when they issue ... Here comes the fact of management taking "technical" ...
    (comp.security.unix)