More PATH fallout. Who decided this was a good idea?
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Sun Dec 7 16:31:54 UTC 2008
Steve Grubb <sgrubb at redhat.com> writes:
> 5) We must audit changes to trusted databases
>
> To accomplish this, we instrument the shadow-utils code. This lets
> us see who modified any account and which account and how it was
> modified. You can find these in your audit logs ny looking for
>
> ausearch --start this-month -m ADD_USER
# vipw
i
foo:x:1111:1111:x:/bin/foo:/bin/sh
# ausearch --start this-month -m ADD_USER
#
or
$ ldapadd
dn: uid=foo,...
# ausearch --start this-month -m ADD_USER
#
Both 'vipw' and 'ldapadd' are official and documented tools to manage
user database.
> The utilities that would allow you to modify it cannot be accessed
> unless you are root.
Sounds like "when the algorithm is hidden, the crypto mechanism is
secure"...
Enrico
More information about the fedora-devel-list
mailing list