Thanks much Peter Nixon. So tell me, how do I get kcheckpass, xlock, and friends to work without compromising my security? Aren't they supposed to use PAM anyway? On Tuesday 19 November 2002 06:34, Peter Nixon wrote:
On Mon, 18 Nov 2002 12:30:16 -0500
Squire Karol Pietrzak uttered the following:
The way I fixed this was to add read permission to /etc/shadow:
chmod 644 /etc/shadow
...anybody care to comment on the security issues related to this?
VERY VERY bad idea! You have just nullified the benifit of having a shadow file. <History Lesson> nix computers used to have one file (/etc/passwd) that contained all info about a user including a hash of their password. The system would compare new logins with this hash and if it matched allow a use to login. As this file contained ALL info including UID -> username mapping and home directory info this file had to be world readable. Then some nasty hackers discovered that you could copy this file, and run a dictionary through the unix crypt() function and compare the resulting hashes with those in the world readable passwd file and get thousands of compromised accounts (in a university environment) The smart unix people then designed the shadow passwd suite which kept all the normal UID etc info in the passwd file as usual, but the actuall passwd hash in a "shadow" copy of the passwd file that only root (and SUID root programs) could read. Thus stopping the nasty hackers from taking copies of it
In other words, you just set the security of your system back ten years :-)
Cheers
--
Karol Pietrzak