Ugh... in a world-readable file... well, at least the file name seems to be a random id, and the directory isn't just owner-readable.
Still... if that random id gets leaked, the password is toast.
That leads me to the question: is there a way to make Virtualmin never store plaintext passwords?
Ah. I misread a permissions line, confusing the permissions for /etc/webmin/virtual-server (drwx--x--x) with those for /etc/webmin/virtual-server/plainpass (drwx------).
All is good then :)
I had misread the permissions from /etc/webmin/virtual-server (drwx--x--x) as those of /etc/webmin/virtual-server/plainpass (drwx------).
Virtualmin keeps a plaintext copy of the passwords in the /etc/webmin/virtual-server/plainpass dir.
The actual passwords are in the shadow file, /etc/shadow.
-Eric
Ugh... in a world-readable file... well, at least the file name seems to be a random id, and the directory isn't just owner-readable. Still... if that random id gets leaked, the password is toast.
That leads me to the question: is there a way to make Virtualmin never store plaintext passwords?
Well, the default permissions on the dir should prevent all but root from being able to see it.
What do you see if you type:
ls -ld /etc/webmin/virtual-server/plainpass
Ah. I misread a permissions line, confusing the permissions for /etc/webmin/virtual-server (drwx--x--x) with those for /etc/webmin/virtual-server/plainpass (drwx------).
All is good then :)
I had misread the permissions from /etc/webmin/virtual-server (drwx--x--x) as those of /etc/webmin/virtual-server/plainpass (drwx------).