[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: root password is not stored in /etc/cipux/

[Christian Kuelker]
> I would not store the (posix) root password on disk.
> I would store the database password, because to let this in
> the hand of teachers is even more dangerous.

With the LDAP admin password on disk it is trivial to create a new
root user in LDAP, and use it to log in to all the machines using the
LDAP database in their PAM and NSS setup.  So having the LDAP admin
password give a person more power than having the root password of a
single machine.  If the users with access to editing the LDAP
directory should not have full access to the LDAP directory, I suspect
we need to find a way to store the password in memory instead of on
the disk.

> But why you store the cn=smbadmin in clear text on disk? Which is
> again the root password.

This sounds bad.  I belived the smbadmin password was a random key
only giving access to the SMB part of the ldap directory.  If this is
not so, we need to review that procedure.

Friendly,
--
Petter Reinholdtsen
Reply to: