[wplug] /etc/master.passwd Was: Re: SpamAssassin -- user_prefs security hole?

Bill Moran wmoran at potentialtech.com
Wed May 26 21:48:35 EDT 2004


James O'Kane wrote:
> On Wed, 26 May 2004, Brandon Kuczenski wrote:
> 
> 
>>>/etc/master.passwd (the "shadow password" file) contains a field for defining
>>>which profile each user belongs to, so you can add different users to
>>>different resource limit profiles.  If you don't define a profile, the system
>>>gives them the "default" profile, which (as you can see) is unlimited by
>>>default.
>>
>>/etc/shadow in redhat
> 
> Correct me if I'm wrong, but I think /etc/master.passwd isn't exactly the
> same as /etc/shadow.

I can't say how similar master.passwd is to shadow, but I can tell you what
master.passwd is for.

/etc/passwd is world readable, thus it contains information about users that
is safe for anyone to view (i.e. full name, home directory, etc)
/etc/master.passwd contains all the information that passwd does, but also
contains information that ordinary people shouldn't have access to (such as
the login class, and the encrypted password ... even though the password is
encrypted, it's traditional to keep even the encrypted version away from
prying eyes) thus, /etc/master.passwd is only readable by root.

On FreeBSD, at least, these two files are compiled into a dbm database to
allow the system to look up information faster.  Thus it's not a good idea
to manually edit either file, but use programs such as vipw, which
automatically keep master.passwd and passwd in sync, and update the dbm
file as needed.  You _can_ edit the files manually and use pwd_mkdb to
update the dbm file, but this is prone to user error and therefore not
recommended.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com



More information about the wplug mailing list