Ansgar Burchardt wrote: > Yes, it still is a security risk. It escalates any security problem > where the attacker can (only) read arbitrary files into one where the > attacker has administrative access to dtc. (cf. /etc/shadow which does > not store passwords in a form that allows to easily retrieve the > original passwords)
I do understand your point, and I agree. However, the password is set in debconf, and then used by the userland shell installer script. What other solution do I have here? Any suggestion? Thomas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
