Re: root password is not stored in /etc/cipux/
The key must not be stored, as it can be reproduced from /proc. Therefor
you need already to be there. On your local machine, you will get
another md5sum.
Am Mittwoch 13 Dezember 2006 15:11 schrieb Christian Kuelker:
> (3) It must be documented, for the developers.
Yes, but the md5sum will be different on any machine.
>
> So you will not gain a bit of security.
We will increase security when we
1. disable any modes of login for root (the root password will lose its
value then!)
2. refrain from storing _plain_ passwords.
The 2nd case together with a sligh policy for the Skolelinux
backupserver has given pupils access to the root password.
Imagine this scenario:
Mister X is an administrating teacher, just our target group, as his
Linux skills are rather mediocre.
During summer holidays he dares install a combined Tjener/LTSP. By means
of some Webmin based interface, he imports users from csv files that
are stored in his local home directory /skole/tjener/home0. He is wise
enough to delete those files and even his account before school starts.
Now, every pupil gets their password. Cool Joe does a search for his
password (say "ToPSeCr3t") and - wow! - discovers a file import.csv (or
some mozilla cache log)
in /skole/tjener/backup/skole/tjener/home0/misterx which is world
readable.
Of course, you could blame Mister X being ignorant towards rights of
mounted discs and so on - but I know that this mistake is made by most
amateur admins (just start searching now!)
Yes, I know, my suggestions are rather tentative - but hopefully
inspiring to some of you ;)
Regards
Ralf
Reply to: