| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: avalon at caligula.anu.edu.au (Darren Reed) Subject: Re: IRCXpro 1.0 - Clear local and default remote admin passwords In some mail from Michael Osten, sie said: > > > The reason why IRC servers "IRCD.config" files don't use encryption (see > > file attachment for example) is because 49 times out of 50 they do not > come > > with a GUI program. Administrators main method of changing the > > configuration is to manually edit the file using a notepad utility. > > It has nothing to do with having a GUI or not. You obviously have no > concept of Unix permissions, so using a unix analogy should be avoided in > the future. The config file that you speak of would be set to only be > readable and/or writable the user running the daemon. Even the existance of > that password in the config file woud lend it self a bad design as every > application in (linux at least) can have hooks to PAM and use the same > encrypted password. If the password *was* in the config file, to read this > file, you would need that users priviledges, or priviledges greater than > that user. If you have either, crypting the password would be a bit > pointless (not to say that people don't do it). You're fogetting that this IRC server application is being developed for Windows where people are still mostly unfamiliar with advanced file permission concepts beyond "read-only/archive" bits. NTFS (NT4, W2K, XP, ...) supports file ownership by users as well as read/write/execute "bits". This is something that many *nix advocates are blissuflly unaware of. It's also not often used properly. Darren
Powered by blists - more mailing lists