Mark Janssen writes: > Well... as root I don't even WANT to see what passwords my users came up
Good for you. So, just don't open that file. > with. When /etc/shadow would contain plain-text passwords these would be > visible to anyone with root access (in some way, rooted or legal). There > is a large change these passwords (maybe also root) are used on other > systems. Furthermore it's a bit of privacy for your users, maybe they > use the same password as a encryption key for crypted files, their SSH > or PGP passphrases etc. If you wanted to, you could get this even if the passwords are crypted. Security through obscurity does not work. > Also I would like to have the courier-webadmin password crypted, because > when someone gets apache or whatever to read the password file (and > apache or the cgi at-least needs to be able to I guess) they can access The cgi-bin program - yes, apache - no. > the admin interface. With a crypted password they would need to either > hack the admin interface or recover the password first. > > And it's not like it's such a big and large problem to enable MD5 crypto > on the password (or some other crypto) It's not, but I don't even see an urgent need to bother. -- Sam _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
