Where are passwords stored?

I need to take a look at the passwords stored by Virtualmin.
For virtual servers and for mail/ftp users.

Where should I look?

Virtualmin keeps a plaintext copy of the passwords in the /etc/webmin/virtual-server/plainpass dir.

The actual passwords are in the shadow file, /etc/shadow.


Ugh… in a world-readable file… well, at least the file name seems to be a random id, and the directory isn’t just owner-readable.
Still… if that random id gets leaked, the password is toast.

That leads me to the question: is there a way to make Virtualmin never store plaintext passwords?

Well, the default permissions on the dir should prevent all but root from being able to see it.

What do you see if you type:

ls -ld /etc/webmin/virtual-server/plainpass

Ah. I misread a permissions line, confusing the permissions for /etc/webmin/virtual-server (drwx–x--x) with those for /etc/webmin/virtual-server/plainpass (drwx------).

All is good then :slight_smile:

I had misread the permissions from /etc/webmin/virtual-server (drwx–x--x) as those of /etc/webmin/virtual-server/plainpass (drwx------).