Date: Fri, 10 Feb 1995 15:21:47 From: SMMCGEE@ncbc.ncbc.mn.org (Sean McGee) To: questions@FreeBSD.org Subject: Security Hole ????? Message-ID: <m0rd2sf-0002kvC@kksys.skypoint.net>
next in thread | raw e-mail | index | archive | help
The following is a transcript of a telnet session on my 2.0R host: I logged in as a user with absolutely no rights whatsoever, with an account that has an expired password under 'chpass'. ><< Opened connection to jasper.ncbc.edu >> > > FreeBSD (jasper.ncbc.edu) (ttyp0) > >login: skpearso >Password: >Sorry -- your password has expired. >Changing local password for root. >New password: >Retype new password: >passwd: rebuilding the database... >passwd: done >Last login: Fri Feb 10 13:10:40 from h004 >Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 > The Regents of the University of California. All rights reserved. > >FreeBSD 2.0-RELEASE > >login: /bin/csh: Permission denied > ><< Connection closed by other end. >> As you can see, I was able to change root's password as a user with no rights when my account password had expired. Is this a hole or am I missing something??? -sean
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m0rd2sf-0002kvC>