On Wed, 4 Jun 2014 12:22:04 -0400 Nick <suckless-...@njw.me.uk> wrote:
> Well no. Think about sysadmins who have to allow users to run crappy > PHP code on a shared server (so glad I'm not one of those people at > the moment). An attacker can execute commands as a web user, > probably far easier than brute-forcing an initial login. If they can > then just copy a world readable /etc/passwd, they can do all the > hash cracking offline. Which isn't possible if there's a /etc/shadow > file that's unreadable to a web user. Unless I'm missing something, > that's the value of the shadow system in a modern environment, when > coupled with the problem that you can't necessarily trust that all > users have very strong passwords. Plus your idea of what constitutes > a 'strong' password is probably quite a few years out of date. I > read a fun article on Ars Technica about about how brute-force > cracking is done nowadays; it's pretty smart! > http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ Okay, you convinced me. A shadow-file definitely makes sense in a multi-user-system and hashes of even strong passwords aren't as safe as I thought. Running a dictionary-attack on the hashes directly is a smart move I read about, but honestly didn't remember as well as I should have. > That certainly seems to be true. After all, why get root on paypal's > servers; the money is in any account that can access their database, > which (probably at some levels of remove) is just an 'unprivelaged' > web user. Yep, that's true! In many cases comfort is the biggest vulnerability in modern web-applications and services. -- FRIGN <d...@frign.de>