![]() If an attacker discovered the regular user's password, and the normal root password field was empty, he/she could "sudo passwd root" away to his or her heart's content: it would return "password updated successfully" because it would be updated just wouldn't do anything. So every time the need of the root password would be invoked, the "switch" would be thrown, pointing the response to a different field. It could be visualised as a railroad track: when the "train" is heading to "Passwordtown" a switch is thrown, and it ends up at a different station. The idea being that attackers know that account is there, so they pound away at it until they get it right.Ī solution? Here is how I think it could work: The password field for root is created in a special, secret file (or user) probably best created as an option at install. I have read a lot of posts and articles about attacks on the root password. I have been meaning to ask this question for a few years, but I kept forgetting to.It's half question, half suggestion. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |