whither "passwd -p ..." ?
Jim Freeman
jfree at sovereign.org
Wed Jul 4 18:29:10 UTC 2007
On Wed, Jul 04, 2007 at 05:39:25PM +0200, Cristian Ionescu-Idbohrn wrote:
> On Tue, 3 Jul 2007, Jim Freeman wrote:
>
> > # passwd -p **** blip
>
> Isn't this the well known insecure method that shouldn't be used
> because (with the right timing) anyone can snap the password with ps
> or 'cat /proc/<pid>/cmdline'?
...
As I acknowledged in parts you trimmed, yes (if "anyone" is taken
to mean "someone with shell access").
But in many embedded cases, there is no shell access (ergo, the
cgi remote admin mentioned in the original mail).
In such cases "anyone" == "noone", and "shouldn't be used" becomes
"might be used", and this particular point is then mooted.
...jfree
More information about the busybox
mailing list