Date: Wed, 2 Dec 1998 18:44:17 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: "Andrey A. Chernov" <ache@nagual.pp.ru> Cc: Dima Ruban <dima@best.net>, guido@gvr.org, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/etc master.passwd Message-ID: <199812030244.SAA20794@apollo.backplane.com> References: <199812022135.NAA02023@burka.rdy.com> <199812022155.NAA19166@apollo.backplane.com> <19981203021907.A79875@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
:On Wed, Dec 02, 1998 at 01:55:34PM -0800, Matthew Dillon wrote:
:> I suppose, theoretically, if some hacker were able to create a file or
:> directories in /, they would be able to break into the account. But anyone
:> capable of that can probably break root directly. If we were totally
:
:About creating nonexisten directories: some hackers prefer to live on
:machine using some stealing techniques to mimic valid user. It is too easy
:to mimic valid user under operator just by creating new directory even
:without touching passwd (which can be detected by daily script).
I don't see how '*'d-out accounts can possibly have a major effect
on security. If your machine gets broken into and you aren't
checking your entire hierarchy, you've got a problem anyway. Making
the operator account less easily subverted when it already defaults
to a '*'d-out password is not going to improve security in any
measureable way. The hacker could just as easily add innocuous
rhosts, ssh (, etc...) entries to other system entries or even
inactive user accounts.
-Matt
:--
:Andrey A. Chernov
Matthew Dillon Engineering, HiWay Technologies, Inc. & BEST Internet
Communications & God knows what else.
<dillon@backplane.com> (Please include original email in any response)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812030244.SAA20794>