[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: root password is not stored in /etc/cipux/

The key must not be stored, as it can be reproduced from /proc. Therefor 
you need already to be there. On your local machine, you will get 
another md5sum.

Am Mittwoch 13 Dezember 2006 15:11 schrieb Christian Kuelker:
> (3) It must be documented, for the developers.

Yes, but the md5sum will be different on any machine. 
> So you will not gain a bit of security.

We will increase security when we 
1. disable any modes of login for root (the root password will lose its 
value then!)
2. refrain from storing _plain_ passwords. 

The 2nd case together with a sligh policy for the Skolelinux 
backupserver has given pupils access to the root password.

Imagine this scenario:

Mister X is an administrating teacher, just our target group, as his 
Linux skills are rather mediocre.

During summer holidays he dares install a combined Tjener/LTSP. By means 
of some Webmin based interface, he imports users from csv files that 
are stored in his local home directory /skole/tjener/home0. He is wise 
enough to delete those files and even his account before school starts.

Now, every pupil gets their password. Cool Joe does a search for his 
password (say "ToPSeCr3t") and - wow! - discovers a file import.csv (or 
some mozilla cache log) 
in /skole/tjener/backup/skole/tjener/home0/misterx which is world 

Of course, you could blame Mister X being ignorant towards rights of 
mounted discs and so on - but I know that this mistake is made by most 
amateur admins (just start searching now!)

Yes, I know, my suggestions are rather tentative - but hopefully 
inspiring to some of you ;)


Reply to: