Security Question
Matthew Miller
mattdm at mattdm.org
Mon Feb 14 18:23:11 UTC 2005
On Mon, Feb 14, 2005 at 09:25:43AM -0800, Scott Becker wrote:
> Does anybody know which mailing list addresses security issues?
fedora-list is best for this in general. But there is a "-devel" issue
here.....
> Logwatch on my server reported this:
> apache logged in from dsl-82-199-133-138.dutchdsl.nl (82.199.133.138) using
> password: 1 Time(s)
> My apache account is active so I can su to it to administer postgresql
> databases accessable via php scripts. No password is set. It was my
> understanding that it would be impossible to log in except via su from
> root. Either I'm dead wrong or there's a security hole which needs fixed.
I think the problem here is that you're dead wrong. If no password is set
and the account isn't locked, anyone can log in. Make sure the account is
locked.
For this reason, I apply the following patch to authconfig, to make the
default configuration disallow logins with null passwords. I think it'd be a
good idea to make this be the default, in fact. People who really want empty
passwords should have to do this to themselves.
--- ../authconfig-4.1.6.orig/authinfo.c Wed Aug 29 14:26:40 2001
+++ ./authinfo.c Wed Aug 29 14:29:46 2001
@@ -2061,9 +2061,7 @@
static const char *argv_unix_auth[] = {
"likeauth",
- "nullok",
NULL,
};
static const char *argv_unix_password[] = {
- "nullok",
"use_authtok",
NULL,
--
Matthew Miller mattdm at mattdm.org <http://www.mattdm.org/>
--> Fedora Users & Developers Conference, hosted by Boston University <--
February 18th, 2005 <http://fedoraproject.org/fudcon/>
More information about the fedora-devel-list
mailing list