[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Linux and Security

On Wed, 19 Aug 1998, Michael Beattie wrote:

> 2) obtain by whatever method, the hashed/encrypted/whatever password from
> /etc/shadow.

Stop right there. Since /etc/shadow is readable only by root, if you can
access the file, you must be root .... right? If you are root, you do not
NEED a password to access a user's account. You can just become that user.
You can also create your own user accounts. You can also change the root
and user passwords or delete the passwords.

In other words ... the whole point is to protect root and keep /etc/shadow
readable only by root. If you can read the shadow file, you don't need it.

George Bonser

The Linux "We're never going out of business" sale at an FTP site near you!

Reply to: