[100839] in RedHat Linux List
Re: Hacked! :(
daemon@ATHENA.MIT.EDU (Jan Carlson)
Mon Nov 23 13:59:57 1998
Date: Mon, 23 Nov 1998 13:54:10 -0500
From: Jan Carlson <janc@iname.com>
To: redhat-list@redhat.com
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com
"Soffen, Matthew" wrote:
> Even if you use shadow passwords, it can be broken. All it takes is
> access to the shadow password file.
> Matthew Soffen - Webmaster http://www.iso-ne.com/
The shadow file is kept readable only by root. If you're root you don't
need shadow.
A hole that gives you access to shadow without giving you root access
first would be doing things the hard way - has anybody heard of one?
Install the shadow-utils rpm and run pwconv,
as one of your basic security measures.
Some old programs break after pwconv, because they read want to read the
password file directly, instead of going through the normal api.
Usually they can be upgraded or recompiled. If not, and you don't run
pwconv, then its a security risk if anyone has physical or network
access to the machine.
--
Jan Carlson
janc@iname.com Scarborough, Ontario, Canada
Mailed with Netscape 4.5 on Red Hat Linux 5.2
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request@redhat.com with
"unsubscribe" as the Subject.
