Package: libpam-mysql Version: 0.5.0-6 Severity: wishlist Since the PAM configuration files are normally world-readable, any user can access the encrypted passwords. It might be wise to read the database password from a separate file with permissions like those of /etc/shadow.
Note: You *could* restrict access to the configuration files themselves. That is, as long as all services using pam_mysql have the appropriate permissions so that they don't use the wrong configuration and thereby grant too much access. Still, I don't think that's the right way to do it. What do you think? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
