[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Pinky command

From: Hemant . Rumde
Subject: RE: Pinky command
Date: Thu, 12 Nov 2009 15:16:34 -0500

Hi Bob 

I totally agree with you. In fact, after send mail, I realized that as
far as its local, there is 
not vulnerabilities.  
Why the name of command was changed from "finger" to "pinky"? I liked
new name, but there may be 
Some old scripts (copied from Unix to Linux) in which finger may have
I suggested finger as a link to pinky. 

I am happy, you replied me. Many times, I do not get replies to my

Hemant Rumde 
ING Boston 

-----Original Message-----
From: Bob Proulx [mailto:address@hidden 
Sent: Thursday, November 12, 2009 11:59 AM
To: address@hidden
Cc: address@hidden; Hemant Rumde; Singh, Sonny
Subject: Re: Pinky command

Erik Auerswald wrote:
> Bob Proulx wrote:
> > The list of uids are already public in the /etc/passwd file.  That 
> > file is already world readable.  Therefore it isn't clear to me how 
> > using another command makes this a vulnerability.
> Using fingerd, this could disclose login names to remote attackers.
> This, of course, does not apply to local invokation of some tool that 
> uses normal user privileges.

But in the case under discussion this could only be disclosed to remote
attackers if a local user were to make that information available to
them.  This is no different than if a local user were to post this
information to those remote attackers directly.  Or mail it to them.  As
a local user you could copy all kinds of useful attack information onto
your home web page.  There isn't a way to prevent people with access to
information from making it available if they want to do it.



NOTICE: The information contained in this electronic mail message is 
confidential and intended only for certain recipients.  If you are not an 
intended recipient, you are hereby notified that any disclosure, reproduction, 
distribution or other use of this communication and any attachments is strictly 
prohibited.  If you have received this communication in error, please notify 
the sender by reply transmission and delete the message without copying or 
disclosing it.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]