[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Pinky command

From: Bob Proulx
Subject: Re: Pinky command
Date: Thu, 12 Nov 2009 09:59:28 -0700
User-agent: Mutt/1.5.18 (2008-05-17)

Erik Auerswald wrote:
> Bob Proulx wrote:
> > The list of uids are already public in the /etc/passwd file.  That file
> > is already world readable.  Therefore it isn't clear to me how using
> > another command makes this a vulnerability.
> Using fingerd, this could disclose login names to remote attackers.
> This, of course, does not apply to local invokation of some tool that
> uses normal user privileges.

But in the case under discussion this could only be disclosed to
remote attackers if a local user were to make that information
available to them.  This is no different than if a local user were to
post this information to those remote attackers directly.  Or mail it
to them.  As a local user you could copy all kinds of useful attack
information onto your home web page.  There isn't a way to prevent
people with access to information from making it available if they
want to do it.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]