[CentOS] Another Fedora decision

Wed Feb 4 22:56:30 UTC 2015
Kahlil Hodgson <kahlil.hodgson at dealmax.com.au>

I just had a peek at the anaconda source for Fedora 21.  Apparently
you can waive the password strength tests (and the non-ASCII tests) by
simply clicking "Done" twice.

    def _checkPasswordASCII(self, inputcheck):
        """Set an error message if the password contains non-ASCII characters.

           Like the password strength check, this check can be bypassed by
           pressing Done twice.
        """


Kahlil (Kal) Hodgson                       GPG: C9A02289
Head of Technology                         (m) +61 (0) 4 2573 0382
DealMax Pty Ltd

Suite 1416
401 Docklands Drive
Docklands VIC 3008 Australia

"All parts should go together without forcing.  You must remember that
the parts you are reassembling were disassembled by you.  Therefore,
if you can't get them together again, there must be a reason.  By all
means, do not use a hammer."  -- IBM maintenance manual, 1925


On 5 February 2015 at 09:16, Lamar Owen <lowen at pari.edu> wrote:
> On 02/04/2015 04:55 PM, Warren Young wrote:
>>
>> Unless you have misconfigured your system, anyone who can copy /etc/shadow
>> already has root privileges. They don’t need to crack your passwords now.
>> You’re already boned.
>
>
> Not exactly.
>
> There have been remotely exploitable vulnerabilities where an arbitrary file
> could be read (not written), but otherwise root access wasn't given by the
> exploit; that is, no shellcode per se. If you can somehow (buffer overflow
> shellcode or something similar) get, say, httpd to return a copy of
> /etc/shadow in a GET request, well, you don't have root, but you do have the
> hashed passwords.  It doesn't take an interactive root session, and may not
> even leave a trace of the activity depending upon the particular bug being
> exploited.
>
> Now, I have seen this happen, on a system in the wild, where the very first
> thing the attacker did was grab a copy of /etc/shadow, even with an
> interactive reverse shell and root access being had. So even when you
> recover your system from the compromise you have the risk of all those
> passwords being known, and unfortunately people have a habit of using the
> same password on more than one system.
>
> Further, lists of usernames and passwords have market value.
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos