[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from the release team: the plans for etch

Stephen Frost <sfrost@snowman.net> writes:

> * Thomas Bushnell BSG (tb@becket.net) wrote:
>> Stephen Frost <sfrost@snowman.net> writes:
>> > Leaving around unused accounts is plainly wrong too, and also a
>> > potential security risk.  
>> Can you outline the risk please?
> Sure.  Locking accounts isn't necessairly perfect.  

What is an account in the password file?  It's nothing more than the
ability to log in under a given UID.  How is a starred password
anything other than perfect locking of the account?

> Checking that an account is locked requires going through more of
> the authentication system than just checking if the account exists.
> What happens if an admin gives a password to a system account and
> then forgets about the account after purging the software it's
> associated with?

The same thing that happens if he creates a setuid program using that

Reply to: