[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: fixing those pwdb shadow inconsistencies and holes



Cristian Gafton writes:
>Whatever needs to be done to libpwdb, please tell me and I will handle it.
>I don't get exactly to what type of policy you are referring to - could
>you please be more specific ?

The policy of which databases in a list take which data elements.

I was told before that if the shadow argument was *not* given to
pam_pwdb, passwords would be left where they were and not migrated.
To do anything else will horribly confuse admins used to shadow
passwords.  Trust me; we've already had a deluge of mail about
this.  It hasn't even all been in English!

>To anyone about to have a heart attack: pam_pwdb and libpwdb is not
>broken, depends on how do you expect things to go. Except for the possible
>exploits on the endian thing, there is no way one could compromise a
>system using the 'exploits' mkj posted.

Sysadmins who are used to shadow passwords "know" that the password
does not go in /etc/shadow unless there is an x in the password field
in /etc/passwd.  This is not a security hole for people who are aware
of the problems (such as subscribers to this list) but for peopole who
expect standard behaviour.  The people who are on this list have no
need to have heart attacks except for their uninformed friends.

>Anyway, this is going to be fixed. Now.

Thank you very much!

michaelkjohnson

"Magazines all too frequently lead to books and should be regarded by the
 prudent as the heavy petting of literature."            -- Fran Lebowitz



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []