Re: "Small" Bug
hello,
according to discussion, i was thinking about getting rid of passwd file.
I wonder if it is possible not to use one database file, which is
world-readable, but set of small files (records, tuples) in homedirs (i
know that homedir is defined in passwd - just thinking :) ). And, on the
other hand, it is possible to use database (SQL engine) to manage user
accounts. Main advantage of this solution is extended access control (as
far as i remember in oracle 7). Level-based access control can give
specified user (not supervisor) ability to create, for example,
new user accounts (to do backup, etc).
IMHO the main question is: is it really important ?
sorry if this post wasnt helpful - I havent used hurd for a long time
(work work work :( )
btw - when playing with unix chmod and chown (and a bit C) i've created a
system w/o suid-root files visible for users (but they still have access
to login, mount, ping, etc). Have you ever tried to do something like it ?
I think it is too simple to work, so i am asking where i did wrong.
yours,
burzum
HTI
On Wed, 15 Mar 2000, powder keg wrote:
-->>How do you compromise a box with a username but no password? I challenge
-->>you:
-->>
-->>brinkmds@mailhost.ruhr-uni-bochum.de
-->>brinkmd@master.debian.org
-->>brinkmd@va.debian.org
-->>finnegan@users.sourceforge.net
-->>marcus@gnu.org
-->>
-->>Those are four user names on wholly different systems.
-->
-->How retarded.
-->
-->Yes, but you gave those to us. Now, assuming these machines are running
-->Hurd (which they're not) if we telnet to your machine and find someone who
-->hasn't reset their default passwd...
-->
-->This is a lot different than sitting at a terminal with no mailing list, no
-->computer, etc. and wondering, "hmm, where should I start?"
-->
-->No one is going to use the Hurd if you have some sort of nonsense like an
-->open login shell. It's an IS nightmare and it's clumsy, at best, pure
-->stupidity at worst. The more privileges to the unauthorized user, the more
-->he can poke holes at the system.
-->
-->Why don't we make the passwords visible as well? It's just tooooo difficult
-->these days to retype a password again and, more than likely, most people
-->don't have people looking over their shoulders anyway.
-->
-->Just because you want to break the rules of common sense to make a statement
-->about your "it'll never happen" mentality doesn't mean we need to suffer
-->with the possibility of compromising our systems.
-->
-->>Here is one for you: "root". Probably 90% of all machines have it.
-->
-->Yeah, but the root account doesn't usually have a simple password like the
-->average user has (birthday, mother's maiden name, etc). The root password
-->isn't going to be posted on a monitor with a post-it note.
-->
-->>To close the case I make the following suggestion: Double the length of the
-->>passwords from eight to sixteen. This has the same effect.
-->
-->This is the dumbest idea I've heard yet. If people can't remember 8-letter
-->passwords without scrawling it down in an obvious location, what makes you
-->think they'll fare any better with 16-letter ones?
-->
-->
-->______________________________________________________
-->Get Your Private, Free Email at http://www.hotmail.com
-->
-->
-->--
-->To UNSUBSCRIBE, email to debian-hurd-request@lists.debian.org
-->with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-->
-->
Reply to:
- Follow-Ups:
- Re: "Small" Bug
- From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>