[wplug] /etc/master.passwd Was: Re: SpamAssassin -- user_prefs
security hole?
James O'Kane
jo2y at midnightlinux.com
Wed May 26 22:51:05 EDT 2004
On Wed, 26 May 2004, Brandon Kuczenski wrote:
> But it doesn't have anything about resource
> profiles.
I've never seen mention of resource profiles in linux, but I've also never
had the need to search for one.
> One thing that I can't find doco for in the man pages is in /etc/shadow
> the password field can also be either '!!' (for login disabled) or '*'
> (for ?????????)
I've always taken !! and * to mean the same thing, a disabled account.
However, reading passwd(5) there is a note:
======
If the encrypted password is set to a star, the user will be unable to
login using login(1), but may still login using rlogin(1), run existing
processes and initiate new ones through rsh(1), cron(1), at(1), or mail
filters, etc. Trying to lock an account by simply changing the shell
field yields the same result and additionally allows the use of su(1).
======
I take that to mean, * will allow rsh(if enabled on the system), but !!
will completely lock out the account. !! is stronger than *.
Note: If you run just man passwd, you'll get the man page on the passwd
command. The above note is from section 5 of the manual, so man 5 passwd
will show that. See man man for more details, including ways to change the
default order.
-james
More information about the wplug
mailing list