Re: [LANdb] Proposed login system

> weez> Ok, so the config file then has to be stored readable only by
> weez> nobody.nogroup, but it's still left vulnerable to attack from
> weez> anything else running as nobody.  And I'm assuming "superuser's"
>
> A good reason *not* to run the webserver as user/group nobody.

Well, no matter what user the script/server is run as, you've got a potential problem,
unless this is a dedicated machine, or there's some way of configuring the server to run as
one user for 'this set of scripts' and another one elsewhere.


> weez> Is using md5 more appropriate than Crypt?
>
> Probably yes, in this case.  I haven't timed it, but I would suspect md5 to
> be faster than Crypt, since md5 is allowed to be lossy - the results of
> Crypt absolutelly must be lossless and capable of be decrypted, while md5
> is able to get away with a non-zero but very small chance that two
> different strings will return the same hash.

ok.  Time to head over to cpan.


John





-------------------------------------
LANdb - Network Management through SQL
To unsubscribe, send email to landb-request@avenir.dhs.org
	and put 'unsubscribe' in the subject line
Administrative contact: weez@avenir.dhs.org
-------------------------------------