Re: Empty password field for libuuid & Debian-exim - Why not a security risk?
Quoth Dr. Mark A. Friedman at 2009-10-16 13:25...
> Upon installation, Debian includes users libuuid and Debian-exim in
> /etc/shadow with an empty password field:
>
> libuuid::14292:0:99999:7:::
> Debian-exim::14377:0:99999:7:::
Interesting question. Can't answer it, but will recount a similar
situation I've visited recently.
Only last week I was looking at possible security loopholes in a web
application I am writing. Found a similar scenario:
Users were being created with a blank password, but not enabled. Only
when the account was enabled, would they be able to log in. I surmised
that if there were some unknown loophole that would allow the "user
active y/n" check to be bypassed, entering the user name (if it were
known) with a null password would allow a login to take place.
To prevent this from happening, I am generating a random password (which
is stored as a cryptographic hash) which is actually longer than the
application will accept. Whilst I can't see any way that the user
active check could be bypassed, this gives an extra level of security,
just in case.
Cheers
M
--
Matthew Smith
Smiffytech - Technology Consulting & Web Application Development
Business: http://www.smiffytech.com/
Blog/personal: http://www.smiffysplace.com/
LinkedIn: http://www.linkedin.com/in/smiffy
Skype: msmiffy
Twitter: @smiffy
Reply to: