After posting my summary, I received other reports (you can read them
below) from:
James M. Thompson <masato@access.digex.net>
Brett Lymn <blymn@bunya3.awadi.com.au>
Perry Hutchison <perryh@pluto.rain.com>
Nicholas R. LeRoy <nleroy@norland.idcnet.com>
Thanks to all these persons, who told me not to change permissions for the
file /etc/shadow, in order to avoid opening my system to a security hole.
As they suggested, I left read permissions for the file /etc/shadow only for
root user; then I made the file /usr/local/bin/valid setuid-root (by the
execution of the command "chmod u+s ...").
Now it goes very well, I hope this is the final solution...
Thank you again!
Fiorella
---------------------------------------------------------------------------- | Fiorella Sartori | Phone : +39-461-881598 | | C.I.S.C.A. | Fax : +39-461-881668 | | University of Trento | E-Mail: fiorella@science.unitn.it | | Via Sommarive, 14 | | | I-38050 POVO (Trento), ITALY | | -------------------------------------------------------------------------
=============================================================================== Nicholas R LeRoy wrote: -------------------------------------------------------------------------------
Fiorella...
...... > What Philip Plane had suggested us (you can read it below) was a good idea. > Now we have the program to check expiration about users, and we have > included it in file /usr/openwin/lib/xdm/Xsession. > Just a note: > the script didn't go well, because users had not read permissions for the file > /etc/shadow (by default, only root has it). We executed the command to give > read permissions for all users, and then everything was ok!
DON'T DO THAT!!! /etc/shadow is *supposed* to be -rw------ !!!!! The world is *not* supposed to be able to read /etc/shadow. This a a serious security issue, IMHO. One of the security features of shadow passwording is that only root can read the encrypted passwords which are store in /etc/shadow. If you really need information from it, run passwd -S user and parse the output of that.
=============================================================================== Perry Hutchison wrote: -------------------------------------------------------------------------------
> the script didn't go well, because users had not read permissions for the > file /etc/shadow (by default, only root has it). We executed the command > to give read permissions for all users, and then everything was ok!
AACCKKK!!!! You have just defeated the purpose of having /etc/shadow separate from /etc/passwd. With general read permission on /etc/shadow, anyone can read anyone else's encrypted password. This makes cracking passwords much easier.
The proper way to handle this is to make /usr/local/bin/valid setuid-root so that it can read the protected shadow password file.
=============================================================================== Brett Lymn wrote: -------------------------------------------------------------------------------
According to Fiorella Sartori: > >the script didn't go well, because users had not read permissions for the file >/etc/shadow (by default, only root has it). We executed the command to give >read permissions for all users, and then everything was ok! >
Ummm you realise you have just broken part of your security setup don't you? The reason shadow is unreadable by anyone apart from root was to prevent people being able to easily get the encrypted passwords to run a password cracker on. Why don't you make the program you got into a setuid one so that it can read the shadow as root?
=============================================================================== James M. Thompson wrote: -------------------------------------------------------------------------------
On Fri, 5 Apr 1996, Fiorella Sartori wrote:
> > > What Philip Plane had suggested us (you can read it below) was a good idea. > Now we have the program to check expiration about users, and we have > included it in file /usr/openwin/lib/xdm/Xsession. > Just a note: > the script didn't go well, because users had not read permissions for the file > /etc/shadow (by default, only root has it). We executed the command to give > read permissions for all users, and then everything was ok! > Thank you!!! >
One comment on your solution.
By allowing read permission to /etc/shadow for the general user, you now open your system to a security hole. A cracker can now read the /etc/shadow file and attempt to break the passwords.
I think a better approach would have been to make the expiration date program that reads /etc/shadow a suid 'root' program. This would have allowed the expiration date program to read /etc/shadow and still keep /etc/shadow read protected from the general user.
===============================================================================
=============================================================================== My previous summary was: ===============================================================================
Sorry for summaring only now, but we tried the solution of the problem before mail it. Thanks to all the persons who have replied to our question (only two..):
Philip Plane <P.J.Plane@massey.ac.nz> Luigi Zerbi <lzerbi@tlvsno.vim.tlt.alcatel.it>
This is the question whe have submitted you:
> Hi all, > > i'm having a problem with the user expiration date on my Sun ultra1 with > solaris 2.5. When i set an expiration date for a user, it works well > with telnet connections but it does not have any effect when the connections > are made using an Xterminal with openwindows. > > Any suggestions? > > Thanks in advance.
What Philip Plane had suggested us (you can read it below) was a good idea. Now we have the program to check expiration about users, and we have included it in file /usr/openwin/lib/xdm/Xsession. Just a note: the script didn't go well, because users had not read permissions for the file /etc/shadow (by default, only root has it). We executed the command to give read permissions for all users, and then everything was ok! Thank you!!!
Fiorella
===============================================================================
Philip Plane wrote: -------------------------------------------------------------------------------
Hi,
I had the same problem. To get around this I wrote a program to check if a user had expired. Then I changed /usr/openwin/lib/xdm/Xsession to check user was valid before letting them start openwindows.
So my Xsession has:
if /usr/local/bin/valid; then
[usual stuff to start openwin] fi
Here is the source to my little program. If you can use it you're welcome to. I'm not sure if this program is the actual one I use, because I messed up my original source, but it should be close enough to let you fix it.
/* valid.c Philip Plane <P.J.Plane@massey.ac.nz> 25 July 1995 Gets a users details, including when their account expires. returns 1 if account has expired, and logs the problem. returns 0 if account is still good. Must be run as root. */ #include <stdio.h> #include <sys/types.h> #include <shadow.h> #include <stdlib.h> #include <time.h> #include <syslog.h> char username[L_cuserid]; struct spwd *shadow_rec; time_t expires, current_date, current_time, *current_time_ptr; main() { /* get the current time */ current_time_ptr = ¤t_time; (void)time(current_time_ptr); /* convert to number of days since 1 Jan 1970 */ current_date = (int)current_time/86400; (void)cuserid(username); shadow_rec = getspnam(username); if ( shadow_rec ) { expires = shadow_rec->sp_expire; if ( (expires > 0) && (expires < current_date) ) /* Account has expired */ { return(1); openlog("validate_user",LOG_CONS,LOG_AUTH); syslog(LOG_NOTICE,"user %s account has expired",username); closelog(); } else /* Account is valid */ return(0); } else { (void)printf("no reply - you must be root to get a reply\n"); openlog("validate_user",LOG_CONS,LOG_AUTH); syslog(LOG_NOTICE,"no reply - you must be root to get a reply"); closelog(); return(255); } }
Luigi Zerbi wrote: -------------------------------------------------------------------------------
Ho gia' affrontato il problema, anche aprendo una chiamata in SUN, ma la risposta e' stata che solo con Solaris 2.6 si dovrebbe uniformare il meccamismo di validificazione tra login e xdm, percui con Solaris 2.5 non esiste possibilita' di intercettare la scadenza delle password. Se qualcuno ti da' un workaorund fai un sommario.
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:57 CDT