[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Pinky command
From: |
Erik Auerswald |
Subject: |
Re: Pinky command |
Date: |
Thu, 12 Nov 2009 08:27:31 +0100 |
User-agent: |
Mutt/1.5.13 (2006-08-11) |
Hi,
On Wed, Nov 11, 2009 at 06:15:32PM -0700, Bob Proulx wrote:
> address@hidden wrote:
> > In old days, attackers used to create .project symbolic to passwd
> > and group files to get the List of login ids and group via
> > fingerd.
>
> The list of uids are already public in the /etc/passwd file. That file
> is already world readable. Therefore it isn't clear to me how using
> another command makes this a vulnerability.
Using fingerd, this could disclose login names to remote attackers.
This, of course, does not apply to local invokation of some tool that
uses normal user privileges.
Erik
--
A: Because it messes up the order in which people normally read text.
Q: Why is it such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?