whither "passwd -p ..." ?
Cristian Ionescu-Idbohrn
cristian.ionescu-idbohrn at axis.com
Wed Jul 4 12:57:42 PDT 2007
On Wed, 4 Jul 2007, Jim Freeman wrote:
> On Wed, Jul 04, 2007 at 05:39:25PM +0200, Cristian Ionescu-Idbohrn wrote:
> > On Tue, 3 Jul 2007, Jim Freeman wrote:
> >
> > > # passwd -p **** blip
> >
> > Isn't this the well known insecure method that shouldn't be used
> > because (with the right timing) anyone can snap the password with ps
> > or 'cat /proc/<pid>/cmdline'?
> ...
>
> As I acknowledged in parts you trimmed, yes (if "anyone" is taken
> to mean "someone with shell access").
Yes. Should I appologise for trimming?
> But in many embedded cases, there is no shell access (ergo, the
> cgi remote admin mentioned in the original mail).
Of course.
> In such cases "anyone" == "noone", and "shouldn't be used" becomes
> "might be used", and this particular point is then mooted.
Yes. Still. Any such -p "option" should be marked as "risky" and appear
just as an option (i.e. default disabled).
--
Cristian
More information about the busybox
mailing list