I need to take a look at the passwords stored by Virtualmin.
For virtual servers and for mail/ftp users.
Where should I look?
TIA
Jo
Virtualmin keeps a plaintext copy of the passwords in the /etc/webmin/virtual-server/plainpass dir.
The actual passwords are in the shadow file, /etc/shadow.
-Eric
Ugh… in a world-readable file… well, at least the file name seems to be a random id, and the directory isn’t just owner-readable.
Still… if that random id gets leaked, the password is toast.
That leads me to the question: is there a way to make Virtualmin never store plaintext passwords?
Well, the default permissions on the dir should prevent all but root from being able to see it.
What do you see if you type:
ls -ld /etc/webmin/virtual-server/plainpass
Ah. I misread a permissions line, confusing the permissions for /etc/webmin/virtual-server (drwx–x--x) with those for /etc/webmin/virtual-server/plainpass (drwx------).
All is good then 
I had misread the permissions from /etc/webmin/virtual-server (drwx–x--x) as those of /etc/webmin/virtual-server/plainpass (drwx------).