advertisement

Weblog:   New (local) Mac OS X vulnerability : Passwords in Swap files
Subject:   A Joke?
Date:   2004-06-28 09:39:49
From:   niteshd
Response to: A Joke?

You(root) could copy my directory or my files or delete my account or do whatever you want. But an Operating System should not allow you(root) to view my plain text password so easily.



An administrator may set my initial password, but I can change it. Infact if you are a good administrator, you should recommend that users change their password the first time they log on.


I am NOT saying that root cannot do anything he or she wants. I am suggesting that an Operating System should attempt its best to not store passwords in clear text to make it so easy for root or anyone else to obtain your plain text passsword. That is the whole point behind /etc/shadow, and the reason Operating Systems these days do not store user passwords in clear text. Here's another way of thinking about it: if root can obtain user passwords in clear text anyways, what is the point of /etc/shadow? Why not just create an /etc/shadow that is readable by root and store user passwords in clear text there?
Full Threads Oldest First

Showing messages 1 through 2 of 2.

  • A Joke?
    2004-06-28 10:22:33  timharig [Reply | View]

    If I am root I can create false logins redirect web traffic to false sites etc. I do not need direct access to your password. It is an old recommendation to use a false id-password on your first login attempt to *help* prevent this kind of problem.

    If you cannot trust the system administrator then do not use his/her system. Definitly do not use the same id-password that you use for other things.

    /etc/shadow is around because some applications rely on the historical mistake of leaving /etc/passwd world readable. While the passwords are hashed, having the hashes along with the method and salt used to derive them makes it easier to brute force the passwords on a different system.
    • Nitesh Dhanjani photo A Joke?
      2004-06-28 10:52:49  Nitesh Dhanjani | O'Reilly AuthorO'Reilly Blogger [Reply | View]

      Having the hashes along with the salt makes it more difficult to brute force the passwords. This is the whole purpose behind salts. Without a salt, I can just create a catalog of all possible combinations of the password, and store the hash of each, and just compared the hashes with the hash in the password file to find passwords in O(1) time.

      Yes, root can obtain your real password if he or she tries to. But it shouldn’t be _this_ easy. If root had to install trojans or sniff the traffic to obtain a local user's password (yes I know root does not need a local user password to do anything on the host, but may want to steal it because users in reality do use same passwords for multiple accounts), this would discourage an administrator in a large organization. This also introduces liability. As an administrator, I don't want to be able to see user password in clear text this easily.

      If a host were to be compromised, there is some comfort in knowing that strong password hashes stored in /etc/shadow may take a while to be cracked. With a vulnerability like this, if your system is compromised, clear text passwords of users will compromised as well, without any need for the intruder to brute force them.

      My opinion is that passwords should never be stored in clear text anywhere, it is just good practice.
Showing messages 1 through 2 of 2.