This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

Where are passwords stored?

5 posts / 0 new

Topic locked

Last post

#1 Fri, 01/08/2010 - 11:16

jo

Where are passwords stored?

I need to take a look at the passwords stored by Virtualmin. For virtual servers and for mail/ftp users.

Where should I look? TIA Jo

#2 Fri, 01/08/2010 - 11:20

andreychek

Virtualmin keeps a plaintext copy of the passwords in the /etc/webmin/virtual-server/plainpass dir.

The actual passwords are in the shadow file, /etc/shadow.

-Eric

#3 Fri, 01/08/2010 - 11:57

jo

Ugh... in a world-readable file... well, at least the file name seems to be a random id, and the directory isn't just owner-readable. Still... if that random id gets leaked, the password is toast.

That leads me to the question: is there a way to make Virtualmin never store plaintext passwords?

#4 Fri, 01/08/2010 - 12:00

andreychek

Well, the default permissions on the dir should prevent all but root from being able to see it.

What do you see if you type:

ls -ld /etc/webmin/virtual-server/plainpass

#5 Fri, 01/08/2010 - 15:16

jo

Ah. I misread a permissions line, confusing the permissions for /etc/webmin/virtual-server (drwx--x--x) with those for /etc/webmin/virtual-server/plainpass (drwx------).

All is good then :)

I had misread the permissions from /etc/webmin/virtual-server (drwx--x--x) as those of /etc/webmin/virtual-server/plainpass (drwx------).

Topic locked