Menu
▾
▴
Re: [webmin-l] Webmin security risk!
|
From: Munzir T. (
) <mun...@gm...> - 2006-08-25 11:00:10
|
On Friday 25 August 2006 08:47, Jamie Cameron wrote: > On 24/Aug/2006 22:30 Munzir Taha wrote .. > > > On Thursday 24 August 2006 18:38, Jamie Cameron wrote: > > > On 24/Aug/2006 05:07 Munzir Taha wrote .. > > > > > The real problem is having the root password on this file > > /etc/webmin/servers/1108941386.serv > > May be this is because I am monitoring another server from webmin. > > That's right .. the master Webmin needs to store the password of the > other server. > > > > And the files are only readable by root, so > > > there is no security risk from normal users.. > > > > As I read the vulnerability discovered in webmin 1.29- would allow any > > anonymous user to read any system file whatever the permissions are. In > > such cases the administrator need some time to provide the patch. > > Afterall, this is why the system root password is not only kept in > > non-readable by everyone shadow file but also kept encrypted. > > Keeping it one-way encrypted like in the shadow file is OK for validating > users, but not for automatically logging into other systems like Webmin > does.. I don't know how webmin works but isn't there there any way to encrypt it while not losing webmin features? -- Munzir Taha Telecommunications and Electronics Engineer Maintainer of Fedora Arabic Translation Project https://listman.redhat.com/mailman/listinfo/fedora-trans-ar Maintainer of the OpenBugs project page at http://www.arabic-fedora.org/munzir/OpenBugs.html Master CIW Designer, ICDL, MOUS, Linux+, LPI 101 Riyadh, SA |
