[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Pinky command
From: |
Bob Proulx |
Subject: |
Re: Pinky command |
Date: |
Thu, 12 Nov 2009 09:59:28 -0700 |
User-agent: |
Mutt/1.5.18 (2008-05-17) |
Erik Auerswald wrote:
> Bob Proulx wrote:
> > The list of uids are already public in the /etc/passwd file. That file
> > is already world readable. Therefore it isn't clear to me how using
> > another command makes this a vulnerability.
>
> Using fingerd, this could disclose login names to remote attackers.
> This, of course, does not apply to local invokation of some tool that
> uses normal user privileges.
But in the case under discussion this could only be disclosed to
remote attackers if a local user were to make that information
available to them. This is no different than if a local user were to
post this information to those remote attackers directly. Or mail it
to them. As a local user you could copy all kinds of useful attack
information onto your home web page. There isn't a way to prevent
people with access to information from making it available if they
want to do it.
Bob