Hi, Thomas Goirand <[email protected]> writes:
> Ansgar Burchardt wrote: >> Yes, it still is a security risk. It escalates any security problem >> where the attacker can (only) read arbitrary files into one where the >> attacker has administrative access to dtc. (cf. /etc/shadow which does >> not store passwords in a form that allows to easily retrieve the >> original passwords) > > I do understand your point, and I agree. However, the password is set in > debconf, and then used by the userland shell installer script. What > other solution do I have here? Any suggestion? Is it possible to just store a hash of the password? Otherwise, it could at least be removed by the shell installer script. Regards, Ansgar -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
