On Wed, Mar 26, 2003 at 10:50:48AM -0500, Noah L. Meyerhans wrote:
> On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote:
> > Well yes it could :) As long as the user has no valid password it's not very
> > usefull. Take a look into the /etc/shadow and in the second field you'll 
> > find
> > ! or * indicating that this user has a invalid password. See man 5 shadow.
> That's hardly true.  If an attacker could somehow create an ssh
> authorized_keys file, they could log in without a password.
and if he can somehow create the non existing home dir.
or if he can somehow change the $HOME ... oh forgot when he has the power to
somehow change the $HOME he can change the $SHELL or if he can edit the
/etc/passwd he's root ... who cares about nobody.

Yeah there are so many side conditions that could happen, what a horror - time
to take the internet offline. *hrhr*

Well at least you shouldn't run all your daemons under one uid. Create one for
the ftpd one for your httpd and so on.

