home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!zaphod.mps.ohio-state.edu!caen!destroyer!cs.ubc.ca!dixie.cs.ubc.ca!not-for-mail
- From: hassan@cs.ubc.ca (Moustafa Hassan)
- Newsgroups: alt.hackers
- Subject: cracking login?
- Date: 22 Nov 1992 12:45:26 -0800
- Organization: Computer Science, University of B.C., Vancouver, B.C., Canada
- Lines: 28
- Approved: yes
- Message-ID: <1eorh6INN684@dixie.cs.ubc.ca>
- NNTP-Posting-Host: dixie.cs.ubc.ca
- Summary: disillusion me
-
- I've thought of a scheme for logging in as any user in a given file system.
- The only problem is that it's too easy. I must be under some illusion.
- I'd appreciate it if someone pointed out the flaw in my algorithm:
-
- 1. Obtain the code for login.c. I've done this. I'm having some trouble
- compiling it, because some constants are defined differently on my
- system. I should be able to fix this within a month's work.
- 2. Change the call to getpass to a function that reads in an arbitrary number
- of characters up to the newline. This is trivial.
- 3. Remove the encryption step where the password is encrypted.
- 4. Recompile.
- 5. When executing login, give it (the publically available) user id and
- encrypted password of any user on the system, and you're in.
-
- As I said, this scheme is too easy, and I refuse to believe that unix systems
- lack security to such a degree. Would someone take the time to disillusion
- me?
-
- ObHackInProgress:
- Writing a dumb terminal unix-like shell for my Mac Plus in C, and possibly
- later in scheme.
-
- Cheers,
- ********************************************************************
- * Moustafa Hassan | *
- * hassan@cs.ubc.ca | Political correctness is a euphemism *
- * TEL/FAX: (604) 535-2826 | for intellectual stagnation. *
- ********************************************************************
-
