Re: Pinky command

bug-coreutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Pinky command

From:	Bob Proulx
Subject:	Re: Pinky command
Date:	Thu, 12 Nov 2009 09:59:28 -0700
User-agent:	Mutt/1.5.18 (2008-05-17)

Erik Auerswald wrote:
> Bob Proulx wrote:
> > The list of uids are already public in the /etc/passwd file.  That file
> > is already world readable.  Therefore it isn't clear to me how using
> > another command makes this a vulnerability.
> 
> Using fingerd, this could disclose login names to remote attackers.
> This, of course, does not apply to local invokation of some tool that
> uses normal user privileges.

But in the case under discussion this could only be disclosed to
remote attackers if a local user were to make that information
available to them.  This is no different than if a local user were to
post this information to those remote attackers directly.  Or mail it
to them.  As a local user you could copy all kinds of useful attack
information onto your home web page.  There isn't a way to prevent
people with access to information from making it available if they
want to do it.

Bob

[Prev in Thread]

Current Thread

[Next in Thread]

Pinky command, Hemant . Rumde, 2009/11/11
- Re: Pinky command, Bob Proulx, 2009/11/11
  - Re: Pinky command, Erik Auerswald, 2009/11/12
    - Re: Pinky command, Bob Proulx <=
    - RE: Pinky command, Hemant . Rumde, 2009/11/12
    - Re: Pinky command, Bob Proulx, 2009/11/12
    - Re: Pinky command, Alfred M. Szmidt, 2009/11/14
    - Re: Pinky command, Alfred M. Szmidt, 2009/11/12

Prev by Date: Re: [PATCH] fts: do not fail on a submount during traversal
Next by Date: getgroups improvements
Previous by thread: Re: Pinky command
Next by thread: RE: Pinky command
Index(es):
- Date
- Thread