![](https://seccdn.libravatar.org/avatar/d2509c4fddd5f8906ff1ad9c6895b9a7.jpg?s=120&d=mm&r=g)
On Mon, 18 Nov 2002 12:30:16 -0500 Squire Karol Pietrzak uttered the following:
Before I couldn't login back into KDE after locking the screen or even change my password using passwd. kcheckpass would fail.
I did not run harden_suse (it doesn't even work in SuSE 8.1), but what I did is use permissions.paranoid in /etc.
The way I fixed this was to add read permission to /etc/shadow:
chmod 644 /etc/shadow
...anybody care to comment on the security issues related to this?
VERY VERY bad idea! You have just nullified the benifit of having a shadow file. <History Lesson> nix computers used to have one file (/etc/passwd) that contained all info about a user including a hash of their password. The system would compare new logins with this hash and if it matched allow a use to login. As this file contained ALL info including UID -> username mapping and home directory info this file had to be world readable. Then some nasty hackers discovered that you could copy this file, and run a dictionary through the unix crypt() function and compare the resulting hashes with those in the world readable passwd file and get thousands of compromised accounts (in a university environment) The smart unix people then designed the shadow passwd suite which kept all the normal UID etc info in the passwd file as usual, but the actuall passwd hash in a "shadow" copy of the passwd file that only root (and SUID root programs) could read. Thus stopping the nasty hackers from taking copies of it In other words, you just set the security of your system back ten years :-) Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc