Security of using sudo rather than su?
Alan McKinnon
alan at linuxholdings.co.za
Fri Sep 15 10:30:56 UTC 2006
On Friday 15 September 2006 11:46, Adam Funk wrote:
> In /etc/shadow I find bin's password field is '*' but cupsys
> has '!'. `passwd -S` for both of them gives a status of 'L'
> (locked). `man passwd` says there are three possibilities:
> "the account is locked (L), has no password (NP), or has a
> usable password (P)".
>
> So now I'm wondering:
>
> * Does `passwd -d` produce status NP?
Dunno. Why don't you try it and tell us what happened?
> * What's the difference between '*' and '!' in the encrypted
> password field?
from man passwd:
-l, --lock
Lock the named account. This option disables an account by
changing the password to a value which matches no possible
encrypted value.
neither * nor ! is an encrypted hash, so both fulfil the
requirements. Don't get hung up on what these things mean, it's
just an arbitrary symbol so that you a) can't login with that
account and b) the passwd isn't empty
>
> * Why are the daemon-ish accounts L rather than NP, since you
> shouldn't want to unlock them? And what would happen if
> you tried `passwd -u`, since they haven't had passwords yet?
The account is locked, so you can't run a login session as that
user. But the uid is still valid, the account can own files,
and root can start a daemon and drop priviledges to that user.
I dunno about passwd -u, but even if you managed to get a valid
password into a system account (uid < 500), and the shadow
system recognised a valid login account, pam would still
disallow the login as it's a system uid
alan
More information about the ubuntu-users
mailing list