Cores and Extras Heliotropic Computing

Ctrl + C generally used as a termination request from a user. Actually when Unix recognizes an interrupt has occured , it sends the corresponding process signal , where 'Signals' are used by the operating system to notify process that some event (interrupt) has occured. Now there is one unique numbered signal available for each possible event. When a user press Ctrl + C , that key combination causes the system to send a signal i.e SIGINT to the running process. By default that signal causes the process to terminate immediately. This Ctrl + C works in command line i.e in a terminal. There's a terminal driver exist which supports the terminal. When the terminal driver recognizes a Ctrl + C key combination, it sends a SIGINT signal to all processes that are running under the current forground job. 

There are other terminal signals like Ctrl + Z , Ctrl + \  etc. Ctrl + Z sends a TSTP signal i.e SIGSTP which causes the process to suspend execution and Ctrl + \  sends an ABRT signal i.e SIGABRT to immediately terminate a process.

User administration and password storage in solaris is done in a pretty secured way. Before going to that topic first some basic idea about user administration is required. A system administrator can use the useradd command to add a new user in the system. This command commonly used in the following fashion :
# useradd -u uid -g gid -G (gid1,gid2) -m -d homedirectory -s loginshell -c comment loginname
Here -m option is used to create the home directory for that user if it's doesn't exist , comment normally contains the user's full name etc.
Otherwise an administrator may choose to edit the /etc/passwd file to add a new user. Then he would be required to add a line to that file like :
loginname:x:UID:GID:comment:homedirectory:loginshell
and create a home directory manually. Anyway then he would be needed to setup a password for the user. 'passwd' command is used to setup a password or change login password.'passwd username' is used to do it.
Now all users of a system has read only permission to the /etc/passwd file. That's why passwords are not stored there, only 'x' was mentioned in place of passwords. Though passwords are stored in encrypted format but decryption software exist which may decrypt those passwords.Passwords are stored in /etc/shadow file which only root user can read.
A user may use the passwd command to change his login password and the root user may use it to change login password of any user. Now when passwd command is used to change passwords , it follows a series of steps. Here's the step by step description :

i) It asks for the old password. There are several reasons behind it , first of all authentication and second, checking if aging is sufficiient.
ii) Then it asks for the new password. After entering one , it checks passwords contraints from  /etc/default/passwd. System administrator may change that file according to necessity and required security. If it fullfills all constraints then it asks for the new password again to confirm.
iii) Then it consults the passwd and passwd_compat entry in /etc/nsswitch.conf file to determine where the update will be stored. 

We have already discussed about the /etc/passwd and /etc/shadow file. Actually /etc/shadow file creates an entries with informations from /etc/passwd. Check out the man page of pwconv to use the system administrator's command to install and update /etc/shadow with informations from /etc/passwd.
The steps behind passwd command , what we discussed already is bit different for the root user . For a root user there's no constraint for setting or changing a new password , even it won't ask for the older one.

Now to sum it all up , the system files behind the password storage are :
/etc/passwd
/etc/shadow
/etc/opasswd
/etc/oshadow
/etc/default/passwd

Check out 'man passwd' for more detail description.

When your shell script generating a temporary file for programming purpose you must be very careful as it's much vulnerable to attack. Say, you are using a shell script which creates temporary files in this unsecured way:
sort /home/ritwik/filename > /tmp/temp.$$
Now this code will generate a temporary file with the PID as a suffix. It will help an attacker to guess the other filenames. Since PID of your program will most likely be between 1 and 33000, if he creates 33000 symlinks one of them will definitely work.Now if an attacker creates a symlink with the assumed file name and point it to another file , say abc , then abc will be overwritten. If abc is an important system file then the system will be suffered. Atleast if the attacker edits the contents of the temporary file (since all user has read write permission in /tmp directory) the program will produce a wrong output.
Removing the symlink ( you can do it by : rm -rf /tmp/temp.$S) won't be a good solution as an attacker may recreate it before the sort command execution.
Solaris provides a much safer way to create temporary files with 'mktemp' (Check out 'man mktemp'). As the man page suggest , you can create a temporary file securely in this way :

TMPFILE=`mktemp -t example.XXXXXX`
if [ -z "$TMPFILE" ]; then exit 1; fi
echo "program output" >> $TMPFILE

Here you can place some X as a suffix which will be replaced by some random value , so pretty difficult to assume the file name.

Now think about some another condition , where you have created a good number of temporary files in a shell script. If you want to create each file in the above mentioned way , that would be a pretty laborious job. 'mktemp' provides another option to securely create a temporary directory in this way :

TMPDIR=`mktemp -d /usr/tmp/dir.XXXXXX`
if [ -z "$TMPDIR" ]; then exit 1; fi
echo "program output" >> $TMPDIR/somefilename

Here also you can place some X as a suffix which will be replaced by some random value , so pretty difficult to assume the directory name.

Solaris provides a cryptographic framework to it's users. There are different providers like user level , kernel level and even hardware level are available. Different kind of algorithms are used like symmetric , asymmetric or hash functions. While using a cryptography algorithm to secure some confidential data one thing must be keep in mind that weak algorithms may break all security measures and make confidential data available to some unauthorized user. There are many third party password encryption algorithms available in the web. Someone can download and install it through 'pkgadd' and use it by editing '/etc/security/crypt.conf' , '/etc/security/policy.conf' etc. But using a non-standard algorithm is dangerous because it's very much vulnerable to attack and intruders can easily gain access to a system by deciphering through those algorithms.
So password protection and other valuable data protection must be done by a widely used , well known and well standard encryption algorithm only. It's recommended to use algorithms which uses keys that are at least 128 bits in length for adequate security.
Weak hash functions also bring same kind of threats as reversible hash functions can be exploited by an intruder to determine the original input and gain access to a system. So while using any kind of cryptographic framework , an user must be very careful as it may cause serious security problems in a system.

I can easily remember those days when I started learning J2EE and web technology. Database connectivity with a jsp / servlet  page often done by the following kind of code :
Connection con = DriverManager.getConnection(url , usrname, passwd);
This is an example of hard coded passwords where the actual password is used in the code to do some task. Hard coded passwords and cryptographic keys always increase the chance of security related problems.This kind of coding is not secured, first of all someone can use the generated class file with 'javap -c' and recover the password, username ... basically everything he wants to know. The password can't be changed without a patch , The whole developer team need to know the password , an unauthorized user who knows the password can easily gain access to the system ,  moreover the password will remain same across various companies and organizations who are using that product.

Same kind of security threat may come from hard coded cryptographic keys. It's not a tough job for an unauthorized user to gain access through questions where hard coded cryptographic keys are used. Using a hash function also won't be a safer idea as most of them are reversible and vulnerable to attack.

For more detail information and references , Check out :
http://cwe.mitre.org/data/definitions/259.html
http://cwe.mitre.org/data/definitions/321.html