Date: Tue, 15 Jun 2004 14:46:21 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@freebsd.org Subject: Re: Detaching program from controlling terminal Message-ID: <20040615134621.GA91079@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20040615131601.GA32001@millerlite.local.mark-and-erika.com> References: <40CE8CB9.9050504@synthexp.net> <20040615131601.GA32001@millerlite.local.mark-and-erika.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--4Ckj6UjgE2iN1+kY
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Jun 15, 2004 at 09:16:02AM -0400, Mark Frank wrote:
> * On Tue, Jun 15, 2004 at 01:44:25PM +0800 Ihsan Junaidi Ibrahim wrote:
> > Hi all,
> >=20
> > I'm somehow stuck in the loop now and am hoping some of you can give me=
=20
> > pointers on how to proceed. Due to a customer requirement, I need to=20
> > build a simple web-based (via cgi or php) script to change the system=
=20
> > password. They found that sshing to the server and typing passwd to=20
> > change the password is wee too involving hence the need to use a much=
=20
> > friendlier interface. Letting the sysadmins change the user's password=
=20
> > is not a good idea, as the sysadmins are outsourced and the users value=
=20
> > their privacy.=20
>=20
> I'm sure I'm preaching to the choir here but what privacy do they think
> they are protecting since the sysadmins have root already?
The fact that sysadmins generally don't know users' passwords, and
have no practical means of finding them out if the user doesn't want
them to know what it is. Passwords are stored as a checksum of the
plaintext+salt -- which operation can't be reversed easily (assuming
modern encryption techniques -- the original DES password system can
be brute-forced just about feasibly nowadays).
Since the sysadmin doesn't know what the users' password is on the
systems he admins, the user can safely use the same password on other
systems with different admins.
Now, the sysadmin can always modify the users' password on any system
they control, but they can't do that without letting the user know
they've done it. And it would have to be an extremely thick user to
use a password generated by a third party on some other accounts.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--4Ckj6UjgE2iN1+kY
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFAzv2tiD657aJF7eIRAos6AKCTURm8ZAfcAXVQgbROewvk8f7KgACdEg99
+FA7N+aVpMV7DxrTzXUZ6RI=
=BrA4
-----END PGP SIGNATURE-----
--4Ckj6UjgE2iN1+kY--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040615134621.GA91079>