![]() ![]() The following is an example in which that’s taken into account. ![]() ![]() This is the code that detects whether someone is root. Different capabilities are allowed if someone is root (or someone using sudo). In the source code for the passwd program, there are checks, so you can see whether the person running the program is root. The biggest advantage of open source software is you can look at the source code yourself or refer to trusted peer-reviews of it. Don’t write your program, and then try to give it a coat of security afterward. That means security is the first thing you consider, and then you build on that. Programs that run with elevated privileges can pose security risks if they’re not created with a “security by design” mindset. The control mechanism that prevents someone from working with another person’s password is contained within the passwd program, not the operating system and the SUID scheme. That means the passwd command can freely access the stored passwords in the /etc/shadow file. When root runs the passwd command to change a password, it runs with root’s permissions. Usually, Linux commands and programs run with the same set of permissions as the person who launches the program. That might sound fine, but it presents a quandary: If only people with root privileges can access stored passwords, how do those who don’t have that access change their passwords? Elevating Your Status On Linux, stored passwords are protected in two ways: they’re encrypted, and only someone with root privileges can access the file that contains the passwords. Obviously, as passwords are the keys to the kingdom, they must be safeguarded. They all have to be stored so each time someone logs in, the system can compare the password he types to the stored copy. Take the (seemingly) basic concept of passwords, for example. Building security into a multiuser operating system presents several quandaries. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |