TheSin said: > but this is why I'm posting the list, I need ideas for this sort of > thing, I have most of the major stuff worked out, like not needed a db > for uids
I must have missed this-- how does this work? (or do I have to UTSL?) > On Monday, August 11, 2003, at 11:40 AM, Chris Dolan wrote: > >> Am I missing something? >> >> I don't understand why you have a Pass field at all. Default >> passwords are evil, and are an obvious route for attackers. Perhaps >> Pass should be a flag to indicate that Fink should prompt the user for >> a password? That's still rotten, IMHO, but infinitely better than >> having default passwords. >> >> The usual procedure is to use "*" as the crypted password for daemon >> accounts, indicating that nobody may log in using that account >> directly. IIRC, a blank password crypt usually means that no password >> is required for login, yes? That would be very bad. I have to agree with Chris on this one. I can't think of a single fink package that would initially require a non-locked password. (Well, maybe some databases need one for initial access to their own access control lists-- I haven't checked-- but that's different than the system password database.) The pseudo-accounts required by these packages are only for separation of privileges, not for logins. Usually, the account is used by a process which starts off running as root, and immediately switches to an unprivileged pseudo-account to minimize potential damage. Locking the password ("*" in the crypt field-- no Unix crypt() function should ever return "*" for a hash) does not prevent privilege separation from working, and has the added benefit of keeping the account secure. -- Charles Lepple <[EMAIL PROTECTED]> http://www.ghz.cc/charles/ ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Fink-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-devel