[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Checking user password

Subject: Re: [cobalt-users] Checking user password
From: "Roy A. Urick" <roy.urick@xxxxxxxxxxxxxxxx>
Date: Thu Dec 6 06:43:04 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

No, wasnt saying they were all bored, lazy... just that SOME are ;).

I think the problem is getting my brain to shift gears totally. 90% of what
I do on a day to day basis is novell and M$. by default, both of those OS's
exclude the admin account for the user's home directory. Other areas (like
accounting records directories) can also be locked out so that only the
owner can access, even excluding access from the admin acct/group.  There is
no way (dont say cracking passwords, that isnt always an option if your
security policies are followed) for the admin to see these areas easily,
they have to do fun things like change passwords, take ownership, etc. all
things that can be seen. THAT seems to be where we arent quite connecting; I
still havent gotten my brain totally on track with *nix.

Yes, in *nixland Root is god, can do whatever they want, all knowing,  etc,
yadda yadda yadda :)

All bow to root.

Roy

PS I think I'll bow out of this thread now since its starting to get waaaay
OT.


----- Original Message -----
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Thursday, December 06, 2001 12:47 AM
Subject: Re: [cobalt-users] Checking user password


> "Roy A. Urick" <roy.urick@xxxxxxxxxxxxxxxx> wrote:
> > You missed my point. Yes, with cracking tools, its possible. I am
talking
> > about the casual meanderings of your typical bored, nosey, lazy admin,
and
> > using encrypted passwords.
>
> You're not implying that the typical server admin is bored, lazy, etc. are
> you?  Not a nice thing to say on a list with a high percentage of server
> admins.  :0  Passwords, encrypted or otherwise, do not impede a server
admin
> from accessing any files on the server.  If you feel otherwise, please
> elaborate.
>
> > My point in all this is the systems are designed so admins cant just
> > casually look up a PW in a plain text file
>
> If you're saying that due to the encrypted password format server admins
> can't view the passwords I agree.  If you're saying preventing server
admins
> from viewing plain text passwords is a primary reason operating systems
such
> as *nix use encrypted passwords I disagree.
>
> > and start snooping.
>
> Again, I disagree.  A server admin can access any file on the server.  Can
> you give a scenario where encrypted passwords prevent a server admin from
> snooping?  Sure, it prevents a server admin from using the user's password
> to access other systems (computer and otherwise) that the user might use
the
> same password on, but outside of that I'm not sure what you're referring
to.
>
> > they gotta
> > WANT to get in and look (and work a little at it).
>
> Want, yes; work, no.
>
> > Also, bear in mind I
> > include such environments as Novell and M$ in my scenarios.
>
> Granted, but this thread was about the RaQ3/4.  It shouldn't make a
> difference, unless server admins working on those systems are less
> trustworthy.  Ah, maybe those are the typical admins you described
earlier.
> ;-)
>
> > As for changing the password and then replacing it to be undetected,
once
> > again that assumes they took the time to crack it.
>
> No, it does not.  You can test yourself.  The entire process takes less
than
> a minute.
>
> 1. Login to the shell as admin.
> 2. su - root
> 3. cp -p /etc/shadow /root/shadow
> 4. passwd myuser (then change user's password)
> 5. su - myuser
> 6. You are now that user.  Do whatever you want.
> 7. exit (you're now root again)
> 8. pico -w /etc/shadow (replace myuser's encrypted password with the old
> version in /root/shadow)
>
> > As a buddy of mine says... "Locks are only here to keep honest people
> > honest, not to keep bad people out"
>
> True, but in this case we're referring to the business owner with a master
> key.  And the layer of security in place makes it more difficult for the
> disgruntled employees and customers from getting in the boss' office.  :-)
>
> --
> Steve Werby
> President, Befriend Internet Services LLC
> http://www.befriend.com/
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>

References:
- [cobalt-users] Checking user password
  - From: Kham Vue
- Re: [cobalt-users] Checking user password
  - From: Roy A. Urick
- Re: [cobalt-users] Checking user password
  - From: Steve Werby
- Re: [cobalt-users] Checking user password
  - From: Roy A. Urick
- Re: [cobalt-users] Checking user password
  - From: Steve Werby

Prev by Date: Re: [cobalt-users] Catchall and /dev/null
Next by Date: [cobalt-users] w3perl
Previous by thread: Re: [cobalt-users] Checking user password
Next by thread: [cobalt-users] RAQ web based e-mail suggestions...?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index