On Thu, Jan 24, 2002 at 05:46:06PM -0500, Sam Varshavchik wrote: > David Chin writes: > >>> As I don't trust plaintext passwords in files (no matter the > >>permissions) I > >>If you don't trust POSIX permissions, well, it's time to give up on *NIX > >>completely, and reformat and install NT. > > > >Um, then why are passwords in /etc/shadow encrypted? > > You tell me. I've been wondering about that for years. If you can read > shadow, you've rooted the box already and you don't give a fsck what the > passwords are.
Well... as root I don't even WANT to see what passwords my users came up with. When /etc/shadow would contain plain-text passwords these would be visible to anyone with root access (in some way, rooted or legal). There is a large change these passwords (maybe also root) are used on other systems. Furthermore it's a bit of privacy for your users, maybe they use the same password as a encryption key for crypted files, their SSH or PGP passphrases etc. Also I would like to have the courier-webadmin password crypted, because when someone gets apache or whatever to read the password file (and apache or the cgi at-least needs to be able to I guess) they can access the admin interface. With a crypted password they would need to either hack the admin interface or recover the password first. And it's not like it's such a big and large problem to enable MD5 crypto on the password (or some other crypto) But then I think I'll just apply the patch that was send here a few days ago to enable MD5 for this file. Mark Janssen Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id: 357D2178 Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl] SyConOS.[com|nl] _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
