Where are passwords stored?

5 posts / 0 new
Last post
#1 Fri, 01/08/2010 - 11:16

Where are passwords stored?

I need to take a look at the passwords stored by Virtualmin. For virtual servers and for mail/ftp users.

Where should I look? TIA Jo

Fri, 01/08/2010 - 11:20

Virtualmin keeps a plaintext copy of the passwords in the /etc/webmin/virtual-server/plainpass dir.

The actual passwords are in the shadow file, /etc/shadow.


Fri, 01/08/2010 - 11:57

Ugh... in a world-readable file... well, at least the file name seems to be a random id, and the directory isn't just owner-readable. Still... if that random id gets leaked, the password is toast.

That leads me to the question: is there a way to make Virtualmin never store plaintext passwords?

Fri, 01/08/2010 - 12:00

Well, the default permissions on the dir should prevent all but root from being able to see it.

What do you see if you type:

ls -ld /etc/webmin/virtual-server/plainpass

Fri, 01/08/2010 - 15:16

Ah. I misread a permissions line, confusing the permissions for /etc/webmin/virtual-server (drwx--x--x) with those for /etc/webmin/virtual-server/plainpass (drwx------).

All is good then :)

I had misread the permissions from /etc/webmin/virtual-server (drwx--x--x) as those of /etc/webmin/virtual-server/plainpass (drwx------).

Topic locked