Re: Pinky command

bug-coreutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Pinky command

From:	Erik Auerswald
Subject:	Re: Pinky command
Date:	Thu, 12 Nov 2009 08:27:31 +0100
User-agent:	Mutt/1.5.13 (2006-08-11)

Hi,

On Wed, Nov 11, 2009 at 06:15:32PM -0700, Bob Proulx wrote:
> address@hidden wrote:
> > In old days, attackers used to create .project symbolic to passwd
> > and group files to get the List of login ids and group via
> > fingerd.
> 
> The list of uids are already public in the /etc/passwd file.  That file
> is already world readable.  Therefore it isn't clear to me how using
> another command makes this a vulnerability.

Using fingerd, this could disclose login names to remote attackers.
This, of course, does not apply to local invokation of some tool that
uses normal user privileges.

Erik
-- 
A: Because it messes up the order in which people normally read text.
Q: Why is it such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?

[Prev in Thread]

Current Thread

[Next in Thread]

Pinky command, Hemant . Rumde, 2009/11/11
- Re: Pinky command, Bob Proulx, 2009/11/11
  - Re: Pinky command, Erik Auerswald <=
    - Re: Pinky command, Bob Proulx, 2009/11/12
    - RE: Pinky command, Hemant . Rumde, 2009/11/12
    - Re: Pinky command, Bob Proulx, 2009/11/12
    - Re: Pinky command, Alfred M. Szmidt, 2009/11/14
    - Re: Pinky command, Alfred M. Szmidt, 2009/11/12

Prev by Date: Re: Pinky command
Next by Date: update to latest gnulib
Previous by thread: Re: Pinky command
Next by thread: Re: Pinky command
Index(es):
- Date
- Thread