userpasswd

Marcia Wilbur aicra at well.com
Fri Oct 24 16:00:53 UTC 2003


In RH 9..
userpasswd is broken
Reasons why:

1. shadow passwords require that etc/shadow file not be
writeable by just anyone. This means that users cannot change it. Nor can
any program run by the user.

2. You cannot set the userpasswd to be setuid root because then that would
mean that any user can change any users password if they are at a terminal
that someone forgot to log out from they can change the password for that
user.

3. The userpasswd program simply assumes that the user who was trying to
change the password is the one that is running the program.

Some other approach must be done.

-marcia





More information about the fedora-devel-list mailing list