From owner-freebsd-security  Thu Feb 15 17:22:06 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id RAA10666
          for security-outgoing; Thu, 15 Feb 1996 17:22:06 -0800 (PST)
Received: from elane (root@NS.ELANE.COM [205.233.74.1])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id RAA10653
          for <freebsd-security@freebsd.org>; Thu, 15 Feb 1996 17:21:59 -0800 (PST)
Received: from else by elane with smtp
	(Smail3.1.29.1 #3) id m0tnEsw-000iZLC; Thu, 15 Feb 96 20:22 EST
Received: by else (Smail3.1.29.1 #3)
	id m0tnEtc-000MNeC; Thu, 15 Feb 96 20:23 EST
Date: Thu, 15 Feb 1996 20:23:36 -0500 (EST)
From: James FitzGibbon <james@else.net>
To: Brian Tao <taob@io.org>
cc: FREEBSD-SECURITY-L <freebsd-security@freebsd.org>
Subject: Re: Temporary passwd files in /etc?
In-Reply-To: <Pine.BSF.3.91.960128130513.29165A-100000@zap.io.org>
Message-ID: <Pine.LNX.3.91.960215202232.30726B-100000@else.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
Precedence: bulk

On Sun, 28 Jan 1996, Brian Tao wrote:

>     I found these two files lying around in the /etc directory of one
> of our FreeBSD 2.1.0-RELEASE machines here.
> 
> -rw-r--r--  1 root  wheel      459403 Jan 20 15:35 pw.007939.orig
> -rw-rw-rw-  1 root  wheel      612563 Jan 25 19:06 pw.021282~
> 
>     pw.021282~ is a world readable/writeable copy of the master.passwd
> file.  How did either of those files get there?  Do the serial numbers
> on them look familiar to anyone (pids?).

I didn't see an answer to this in the list, but they are created by 
chpass/vipw type utilities.  I've never seen one get mode 666 though.  

Maybe Nerk did it.


j.