More PATH fallout. Who decided this was a good idea?

Enrico Scholz enrico.scholz at informatik.tu-chemnitz.de
Sun Dec 7 16:31:54 UTC 2008


Steve Grubb <sgrubb at redhat.com> writes:

> 5) We must audit changes to trusted databases
>
> To accomplish this, we instrument the shadow-utils code. This lets
> us see who modified any account and which account and how it was
> modified. You can find these in your audit logs ny looking for
>
> ausearch --start this-month -m ADD_USER

# vipw
i
foo:x:1111:1111:x:/bin/foo:/bin/sh

# ausearch --start this-month -m ADD_USER
#

or

$ ldapadd
dn: uid=foo,...

# ausearch --start this-month -m ADD_USER
#


Both 'vipw' and 'ldapadd' are official and documented tools to manage
user database.


> The utilities that would allow you to modify it cannot be accessed
> unless you are root.

Sounds like "when the algorithm is hidden, the crypto mechanism is
secure"...




Enrico




More information about the fedora-devel-list mailing list