TheSin said:
> but this is why I'm posting the list, I need ideas for this sort of
> thing, I have most of the major stuff worked out, like not needed a db
> for uids
I must have missed this-- how does this work? (or do I have to UTSL?)
> On Monday, August 11, 2003, at 11:40 AM, Chris Dolan wrote:
>
>> Am I missing something?
>>
>> I don't understand why you have a Pass field at all. Default
>> passwords are evil, and are an obvious route for attackers. Perhaps
>> Pass should be a flag to indicate that Fink should prompt the user for
>> a password? That's still rotten, IMHO, but infinitely better than
>> having default passwords.
>>
>> The usual procedure is to use "*" as the crypted password for daemon
>> accounts, indicating that nobody may log in using that account
>> directly. IIRC, a blank password crypt usually means that no password
>> is required for login, yes? That would be very bad.
I have to agree with Chris on this one. I can't think of a single fink
package that would initially require a non-locked password. (Well, maybe
some databases need one for initial access to their own access control
lists-- I haven't checked-- but that's different than the system password
database.)
The pseudo-accounts required by these packages are only for separation of
privileges, not for logins. Usually, the account is used by a process
which starts off running as root, and immediately switches to an
unprivileged pseudo-account to minimize potential damage. Locking the
password ("*" in the crypt field-- no Unix crypt() function should ever
return "*" for a hash) does not prevent privilege separation from working,
and has the added benefit of keeping the account secure.
--
Charles Lepple <[EMAIL PROTECTED]>
http://www.ghz.cc/charles/
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Fink-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/fink-devel
