El mar, 03-05-2005 a las 22:54 +0200, Simon Stelling escribió:
> Nice work, but do we really need that strong passwords? IMHO the
> passwords generated by portage should be changed right after emerging
> the piece of software anyway, although that might not be reality in many
> cases :( I didn't have a closer look to the packages you listed, but i
> hope those don't need a password for a unix account. Probably (just
> guessing) they save the password in plain text anyway, so it wouldn't
> matter that much...
> 
> Perhaps I'm just totally wrong.

Not, but you can't ensure that users will change them, you can warn
them, you can bite them, you can kick them to do it, but they will end,
maybe, not changing the generated password.

Also, having the password in clear text has nothing to do with the
permissions that allow or restrict a certain user from accessing it,
that is, standard DAC (aka "standard Unix permissions") prevents users,
at least theoretically, from accessing those files you don't want them
to access, among that you can use MAC or any other more complex model to
enforce such access restrictions (ie. by using SELinux, RSBAC... from
Hardened Gentoo).

(Check the dev-db/phpmyadmin bug regarding the wrong permissions of the
SQL script with the password of the pma user).

As less risks we assess, less responsibilities we have to manage
regarding Q/A.

Cheers,
-- 
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]

-- 
gentoo-dev@gentoo.org mailing list

Reply via email to