|Summary:||Security hole in adduser/useradd tool|
|Product:||[Retired] Red Hat Linux||Reporter:||soucym|
|Component:||basesystem||Assignee:||David Lawrence <dkl>|
|Status:||CLOSED NOTABUG||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||1998-11-16 13:49:54 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description soucym 1998-11-16 13:19:22 UTC
When you add a user with 5.1 it appears to be breaking a standard (discussed this with a long-time linux user) but the big problem I found was when adding an account for myself other than root my password showed up in /etc/password file IN PLAIN VIEW! It was NOT encrypted until I ran passwd on it. Then it was encrypted. This is a serious bug that needs to be rectified due to ANYONE monitoring that file (/etc/password) they would be able to get users passwords. I mailed firstname.lastname@example.org and got a response to come and post the bug here. So here it is. Email me if there is a patch out to fix this already, but I haven't located one.
Comment 1 Bill Nottingham 1998-11-16 13:49:59 UTC
The -p option to adduser is to set the *encrypted* password; it assumes whatever you give it is already encrypted. Notice if you try to use whatever you specified to -p to login that it won't work...
Comment 2 openshift-github-bot 2016-07-05 17:48:01 UTC
Commits pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/962bcbc2400f6e66e951e61ba259e81a6036f1a2 fix issue#88 - generate unique cookie based on vtep https://github.com/openshift/origin/commit/c7a4777f9eb352bf9956a62803bbcd8fc9de9fde Merge pull request #89 from rajatchopra/master fix issue#88 - generate unique cookie based on vtep