Re: [dev] [PATCH] [ubase] Simplify login

From: FRIGN <>
Date: Wed, 4 Jun 2014 18:36:26 +0200

On Wed, 4 Jun 2014 12:22:04 -0400
Nick <> wrote:

> Well no. Think about sysadmins who have to allow users to run crappy
> PHP code on a shared server (so glad I'm not one of those people at
> the moment). An attacker can execute commands as a web user,
> probably far easier than brute-forcing an initial login. If they can
> then just copy a world readable /etc/passwd, they can do all the
> hash cracking offline. Which isn't possible if there's a /etc/shadow
> file that's unreadable to a web user. Unless I'm missing something,
> that's the value of the shadow system in a modern environment, when
> coupled with the problem that you can't necessarily trust that all
> users have very strong passwords. Plus your idea of what constitutes
> a 'strong' password is probably quite a few years out of date. I
> read a fun article on Ars Technica about about how brute-force
> cracking is done nowadays; it's pretty smart!

Okay, you convinced me. A shadow-file definitely makes sense in a
multi-user-system and hashes of even strong passwords aren't as safe as
I thought.
Running a dictionary-attack on the hashes directly is a smart move I
read about, but honestly didn't remember as well as I should have.

> That certainly seems to be true. After all, why get root on paypal's
> servers; the money is in any account that can access their database,
> which (probably at some levels of remove) is just an 'unprivelaged'
> web user.

Yep, that's true! In many cases comfort is the biggest vulnerability in
modern web-applications and services.

Received on Wed Jun 04 2014 - 18:36:26 CEST

This archive was generated by hypermail 2.3.0 : Wed Jun 04 2014 - 18:48:03 CEST