exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Silicon Graphics Inc. Security Advisory 19951002-01-I

Silicon Graphics Inc. Security Advisory 19951002-01-I
Posted Sep 23, 1999

This advisory has the title Password-less accounts.

SHA-256 | 72ac157f43c3f110fa9281382551fd19bdf77398148c226cf0dfb69259a4ed0e

Silicon Graphics Inc. Security Advisory 19951002-01-I

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----

________________________________________________________________________________
Silicon Graphics Inc. Security Advisory

Title: Password-less accounts
Title: CERT Advisory CA-95:15 - SGI lp Vulnerability
Number: 19951002-01-I
Date: November 27, 1995
________________________________________________________________________________

Silicon Graphics provides this information freely to the SGI community
for its consideration, interpretation and implementation. Silicon Graphics
recommends that this information be acted upon as soon as possible.

Silicon Graphics will not be liable for any consequential damages arising
from the use of, or failure to use or use properly, any of the instructions
or information in this Security Advisory.
________________________________________________________________________________


It has reached the attention of SGI and the CERT Coordination Center
that the community is unaware of the existence and use of password-less
accounts on newly installed systems. Because these accounts are initially
password-less and are not being given passwords when the system is setup,
these accounts are being left open and being used to gain access to the
systems.

Passwords are one of the many primary tools for providing for the security
of a system. The use and guidelines for passwords need to be clearly
defined as part of a site's security policy. As pointed out in the CERT
advisory, *ALL* accounts on a system need to 1) have a password and
2) have a properly chosen password.

Properly chosen password : is a password that can not be easily
guessed or discovered. For example a 2 character password is
much easier to discover by brute sequential guessing than a 6
character password. Furthermore passwords should not be obvious,
a users name, a family members name, the name of the company,
or favorite item, activity, saying, or any commonplace word
found in a dictionary. In the IRIX Advanced Site and Server
Administrative Guide", the "System Security" chapter, there
is a section on selecting passwords.

New Silicon Graphics systems are distributed with several accounts, such
as the lp account, without passwords to provide easy "plug-and-play"
installation and operation. These accounts and the fact that they do not
initially have passwords is documented in the SGI documentation with
each system, specifically, the "IRIX Advanced Site and Server
Administrative Guide" in the chapter on "System Security."


- ----------------
- --- Solution ---
- ----------------

To reveal *ANY* local (NIS accounts are not recognized) account on
the system which does not have a password, the following command as
root, can be used:

# /bin/passwd -sa | /usr/bin/awk '$2 == "NP" {print $0}'

The output may appear something like this:

lp NP 9 9 /usr/spool/lp /bin/sh
tutor NP 994 997 /usr/tutor /bin/csh
demos NP 993 997 /usr/demos /bin/csh
guest NP 998 998 /usr/people/guest /bin/csh
4Dgifts NP 999 998 /usr/people/4Dgifts /bin/csh
jack NP 1110 20 /usr/people/jack /bin/csh
jill NP 1111 20 /usr/people/jill /bin/csh
backdoor NP 1112 20 /usr/people/backdoor /bin/csh

The "NP" notation indicates the account has no password. In
the example here, not only does the lp account not have a
password but other accounts also including some user accounts
(jack, jill, backdoor).

It is recommended that *ANY* account found without a password either
be assigned a password or be locked or be removed if the account is no
longer in use.

By locking an account, a system administrator is placing the string
"*LK*" in the password field of the account in the /etc/passwd file.
With this "*LK*" string in the password field it is not possible for
this account to be logged into.

************
*** NOTE ***
************

Locking accounts can disable certain services and/or
"plug-and-play" operations. For example, if this system is
to provide remote tape drive or printer services for other
systems, certain accounts such as guest or lp will need to be
open with no password, or a .rhosts file will need to be setup
for these accounts. The use of .rhosts file is covered in the
manual page for hosts.equiv(4) and the "IRIX Advanced Site and
Server Administration Guide."


To lock an account, the passwd command is used with the -l option.
For more information on locking accounts and other password management
options, refer to the manual page on passwd(1) or the "IRIX Advanced
Site and Server Administration Guide" available on-line with InSight(1).


To lock all accounts without a password, the following script can be used.
Save the script into a file and then execute the file with the /bin/sh
command as root.

#####--->>> WARNING <<<---#####

Be sure the root account already
has a chosen and assigned password
and is not an open account as the
root account will be locked by
this process if it does not.



------------------------cut here--8<------------------------
#!/bin/sh
for account in `/bin/passwd -sa | /usr/bin/awk '$2 == "NP" {print $1}'`
do
/bin/echo Locked the $account account
/bin/passwd -l $account
done
------------------------cut here--8<------------------------


The above procedure will also work if shadow passwords are used.

If NIS accounts are used on the system, efforts need to be taken
to ensure those accounts also have passwords. See manual pages
on yppasswd(1) or "IRIX Advanced Site and Server Administration
Guide" or "NIS Administration Guide" available on-line with
InSight(1).


- -----------------------
- --- Acknowledgments ---
- -----------------------

SGI commends CERT Coodination Center on their continued efforts of
informing the community regarding security matters and appreciates
their efforts on this particular issue.


- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------

Past SGI Advisories and security patches can be obtained via
anonymous FTP from sgigate.sgi.com . These are provided freely
to all interested parties.

For assistance obtaining or working with security patches, please
contact your SGI support provider.

If there are questions about this document, email can be sent to
cse-security-alert@csd.sgi.com .

For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or by contacting your SGI support provider.




-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUBMLtEVbQ4cFApAP75AQHyUAQAiLmS96NpknF8OAiL5QxivAuMNWner5XS
DN4o96FEYvTsR4gWotwLxF8vqxxyfiQGwpRaGu1b9Dvut3CsQbG7U8SackB8t3Cv
Y8cwKYSwpI0YNw7mrdW7WHRrQRaK+ZPIhhCjD9+S8tIu9svNV6xVgBtjR6W1XMrB
5LoEK59UcM8=
=BP0y
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close