On Monday 22 August 2011 18:46:54 Kevin Day wrote: > In the case of /etc/shadow, this means that there should not be a > single file containing everybodies password. > Instead, a separate directory (example: /etc/shadow.d) should exist > with each person able to access the shadow file to their own > passwords. > 1) no root access needed to login or otherwise alter password > 2) the user has control over their own password via a group or owner > permission The downsides are: > 1) The program reading the password must then always sanitize the > read-in password data as it is now considerred unsafe input. > 2) no software currently exists to read this (thus patching of > shadow-utils is required). While I will probably do this myself for my > system, I don't have the time right now nor do I see any reason for > you to do this just because I believe its the better alternative. > 3) There may be a size/performance penalty of having multiple files. > 4) It makes it easy for a user to mess themselves up.
This pretty much exists in Owl Linux: http://www.openwall.com/tcb/ robert
signature.asc
Description: This is a digitally signed message part.
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
