[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] All folders visable on whole server
- Subject: Re: [cobalt-users] All folders visable on whole server
- From: "Brian Curtis" <admin@xxxxxxxxxxx>
- Date: Fri Dec 22 11:09:01 2000
- Organization: Pomfret Computer Technologies
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> > > As far as reading stuff, I've been on plenty of servers where I could
> move
> > > right up through the ftp tree until I was at the very root of the
server
> > > (/), and I could download stuff and read it.
> >
> > That's major scary stuff.... any decent perl user could download your
> shadow
> > file and get the root/admin password.
> >
> > Kevin
>
> Kevin,
> I'm a bit confused here. Do you mean the /etc/passwd and /etc/passwd-
files?
> Because I look in those two files and while I do see all of the users on
the
> site, I don't see anything that resembles a password or even an encrypted
> version of the password.
>
> Am I looking at the wrong passwd file?
>
> Carrie Bartkowiak
He's talking about the /etc/shadow file which contains user's crypted
passwords.
First off, unless your server is FUBAR due to YOUR mistake, or a hacker that
already cracked it, NO perl programmer can read the /etc/shadow file unless
you give him/her/it permission to do so in some way or another. The file
is -rw------- (0600) with uid/gid root.
Also, the shadow file contains one-way encrypted passwords. Therefore,
someone can't just take the crypted text (if they *could* get it in the
first place) and use it as your password, or decode it with some magical
algorithm. The only option a hacker has is a brute force, dictionary style
attack. If a hacker breaks your password with this type of attack, then
your SOL for choosing a bad password in the first place.
--
Brian Curtis