On Friday 02 August 2002 12:51, Monaghan, John wrote:
I agree but you originally could not "see" the shadow file with kcheckpass
correct.
and the fix was to set ownership to root, group to shadow
correct. And mode 640, which means users cannot see the contents.
and setgid shadow.
not to shadow, but to "kcheckpass".
The latter of which I thought was just as much a security risk or am I totally wrong?
Now, somehow the system has to read the shadow file. With above setting the password hash is protected from viewing it by non-root users. Of course, setgid/setuid to priiviledged groups/users is a risk, but it is also a way to protect sensitive data. Of course, we now have to trust that there are no exploits for "kcheckpass". Martin -- Martin Knoblauch Senior System Architect MSC.software GmbH Am Moosfeld 13 D-81829 Muenchen, Germany e-mail: martin.knoblauch@mscsoftware.com http://www.mscsoftware.com Phone/Fax: +49-89-431987-189 / -7189 Mobile: +49-174-3069245