[Mailman-Users] Re: several messages

Satya satyap at satya.virtualave.net
Wed Jan 9 04:57:14 CET 2002

On Jan 8, 2002 at 14:40, Tim Legg wrote:

>Is there any reason the password must be a "*"?  It seams that this could
>be a security risk.  Couldn't anybody just login as mailman and know that
>the password is "*" and do all kinds of mean things?

As JCL says, that's a flag, not a password. /etc/passwd stores
passwords encrypted by the crypt() function. The encrypted string is
always the same length, and the first two octets (bytes? characters?)
are the 'salt' used to encrypt the password. Using the salt and the
plain password with the crypt utility or the crypt() function, we can
get the encrypted string. Compare with stored string; match means the
plain text password is correct, mismatch means it is incorrect.

Going the other way -- decrypting the encrypted string -- is very,
very, difficult.

Now a password string consisting of just *, !, !!, or x is not a valid
encrypted password. The first two or three indicate the account does
not allow logins i.e. is disabled (root can, of course, su to it
anytime). x I've seen used to indicate the password is stored in
/etc/shadow for greater security. passwd is world-readable, shadow is


Satya. <URL:http://satya.virtualave.net/>
Never attribute to malloc what can be easily explained by stupidity.

More information about the Mailman-Users mailing list