On Wed, Mar 26, 2003 at 10:50:48AM -0500, Noah L. Meyerhans wrote: > On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote: > > Well yes it could :) As long as the user has no valid password it's not very > > usefull. Take a look into the /etc/shadow and in the second field you'll find > > ! or * indicating that this user has a invalid password. See man 5 shadow. > > That's hardly true. If an attacker could somehow create an ssh > authorized_keys file, they could log in without a password. and if he can somehow create the non existing home dir. or if he can somehow change the $HOME ... oh forgot when he has the power to somehow change the $HOME he can change the $SHELL or if he can edit the /etc/passwd he's root ... who cares about nobody.
Yeah there are so many side conditions that could happen, what a horror - time to take the internet offline. *hrhr* Well at least you shouldn't run all your daemons under one uid. Create one for the ftpd one for your httpd and so on. SCNR Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]