next message in archive
no next message in thread
previous message in archive
Index of Subjects
---------- Forwarded message ---------- Date: Mon, 9 Dec 1996 01:58:25 -0400 From: Alan Brown <alan@manawatu.gen.nz> To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG> Subject: Re: Weakness in some linux versions of adduser. On Sun, 8 Dec 1996, Dan Merillat wrote: > Aside from glaring buffer overflows (which are unimportant, as only > administration should have access to the adduser script) I do notice > an interesting statistical weakness in adduser... namely, the salt generation. The revised adduser perl script used in the "shadows-ina-box" Linux shadowing kit uses passwd to set the password, probably for this reason. I've spent the weekend ironing vrious bugs out of the 1.2 version and tidying up the adduser perl script in the package - it enables paranoid mode in many of the programs compiled, but adduser doesn't have questions added about whether a user should be allowed pop3 access, plus has a non-elegant failure mode if the defaults file isn't there. I've mailed the various fixes and patches done to the shadow kit's maintainer and the rest is up to him. Meantime, if anyone wants to grab and comment on what I've got so far, there's a scrappy copy sitting at ftp://news.manawatu.gen.nz/pub/shadow-ina-box-1.2.1.src.tar.gz Among other things, we've more than doubled the Cracklib dictionary size (to 7Mb) and replaced wuftpd with a version that actually compiles on ELF systems. The Install and Build scripts need some work, as does the modify program (hits inetd.conf). AB
next message in archive
no next message in thread
previous message in archive
Index of Subjects