[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Minor bug in su shell util.
|
From: |
Bob Proulx |
|
Subject: |
Re: Minor bug in su shell util. |
|
Date: |
Thu, 23 May 2002 22:30:03 -0600 |
|
User-agent: |
Mutt/1.3.28i |
> It seems that su accepts valid password (unix) more than 8 characters. But
> it just reads first 8 chars and authenticates if the user name and first 8
> chars of the password is a valid user account. My colleguge has detected it.
I did not look at the code but I do not believe that su is truncating the
password. I believe it is handing it to the system for authentification
and the system is only looking at the first 8 characters. That has
been the typical behavior. That way if the system is really configured
to use long passwords and md5 crypt it all still works. Perhaps someone
else will now look at the code and state that I am wrong which would be
great.
> Bug Input:
> 1. Valid unix usr account:
>
> login: <root>
> pwd: <password>
> 2. Bug simulation:
> enter cmd su:
> Enter login: <root>
> Enter pwd: <passwordbuggysu>
> util. su will authenticate you successfully. It is a bug, isn't it? But try
> to logon to a unix/linux terminal, it will throw you out:-)) We tested it
> with Linux 2.4.10.
Probably the login program is blocking you if you enter more than eight
characters regardless of what they are. But that makes no sense to
me either. On my systems I can definitely have a password that is
exactly 8 characters long and I can log into the system by typing in
the valid password followed by garbage at the end. I just tested it.
But that is on an old style 8 char limited password system running NIS.
But most modern systems allow longer passwords to be used with shadow
passwords and better encryption.
> We hope that the bug will be fixed in the next release.
>
> Regards,
>
> Unix users
Bob