[CentOS] Another Fedora decision

Wed Feb 4 22:06:31 UTC 2015
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Wed, February 4, 2015 3:55 pm, Warren Young wrote:
>> On Feb 4, 2015, at 12:16 PM, Lamar Owen <lowen at pari.edu> wrote:
>>
>> Again, the real bruteforce danger is when your /etc/shadow is
>> exfiltrated by a security vulnerability
>
> Unless you have misconfigured your system, anyone who can copy /etc/shadow
> already has root privileges.  They don’t need to crack your passwords
> now.  You’re already boned.
>

There can be scenario that someone has /etc/shadow due to admin's
stupidity, yet doesn't have root access. Like: NFS exported / without
root_squash option, then everybody having root on different box can mount
and have your /etc/shadow.

But in general, I'm with you. And incident like above is really major
incident after which full investigation of all what happened on the box,
change of all password (and other thing that too should be considered
compromised like keys, certs...) and rebuild of box are mandatory.

In any case, I agree that whoever let password hashes get exposed... is
doomed.

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++