From owner-freebsd-questions  Tue Oct 13 21:27:09 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id VAA04439
          for freebsd-questions-outgoing; Tue, 13 Oct 1998 21:27:09 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from finland.ispro.net.tr (finland.ispro.net.tr [195.174.18.1])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA04432
          for <freebsd-questions@FreeBSD.ORG>; Tue, 13 Oct 1998 21:27:06 -0700 (PDT)
          (envelope-from yurtesen@ispro.net.tr)
Received: from localhost (yurtesen@localhost)
	by finland.ispro.net.tr (8.8.8/8.8.8) with SMTP id HAA00419;
	Wed, 14 Oct 1998 07:26:39 +0300 (EEST)
	(envelope-from yurtesen@ispro.net.tr)
Date: Wed, 14 Oct 1998 07:26:39 +0300 (EEST)
From: Evren Yurtesen <yurtesen@ispro.net.tr>
To: Ben Smithurst <ben@scientia.demon.co.uk>
cc: Doug White <dwhite@resnet.uoregon.edu>, freebsd-questions@FreeBSD.ORG
Subject: Re: pwd.db?
In-Reply-To: <19981013165236.A945@scientia.demon.co.uk>
Message-ID: <Pine.BSF.3.96.981014072436.29820A-100000@finland.ispro.net.tr>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tue, 13 Oct 1998, Ben Smithurst wrote:

> Evren Yurtesen wrote:
> 
> > ok then, but would not it be more secure if you have maden the
> > password files be able to read only by wheel group?
> 
> I don't see why, neither master.passwd or passwd, or the .db files they
> are converted to contain passwords in plain text. I certainly can't see
> a security risk with having /etc/{passwd,pwd.db} world readable.
> 
> > for example I would not want somebody to get my passwd file and
> > put it to web to show all usernames on my system and the real names
> > corresponding to those login names (also I guess nobody would like
> > that idea) or somebody may send email to all my users from that passwd
> > file, is not it?
> 
> Make sure your users are not so clueless then, and if they do such a
> thing, rmuser(8) is your friend :-)

how can I know if somebody did it? somebody can telnet to my isp and
then copy the passwd file to a file called a.txt in their home directory
and then get it with ftp then delete the a.txt and .history files,
so how can I know who got my passwd file?

 
> > but those files are readable by public which means that anyone
> > who as account on my system can access to them, why is that ?
> 
> Why not? There are other ways to find out valid usernames.
> 
> $ cd /home
> $ ls
> 
> may work (depending on where your home directories are). True, you could
> `chmod o-r /home' but I really can't see the point.
> 
> $ cd /var/mail
> $ ls
> 

can't I make home directory just readable by root too ?
is not it possible for people to be able to read just their home
directories?


> to see who has a mailbox, which most users will have even if it's empty.
> (see above if you really want to make it tight `chmod o-r /var/mail')
> 
> -- 
> Ben Smithurst                                          ben@scientia.demon.co.uk
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message