Date: Tue, 14 Jul 1998 23:55:08 +0200 From: Rasmus Kaj <kaj@interbizz.se> To: tom@uniserve.com Cc: kaj@interbizz.se Subject: Re: Finger and getpwent Message-ID: <19980714235508I.kaj@interbizz.se> In-Reply-To: Your message of "Tue, 14 Jul 1998 12:52:27 -0700 (PDT)" <Pine.BSF.3.96.980714125053.9463D-100000@shell.uniserve.ca> References: <Pine.BSF.3.96.980714125053.9463D-100000@shell.uniserve.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "T" == Tom <tom@uniserve.com> writes: T> On Tue, 14 Jul 1998, Paulo Fragoso wrote: >> I would like in future to use "#" in the beginning of the >> line. Because it's more visualy :-) T> It also has a very different effect. Munging the password field T> by adding a "*" simply disables all authentiction, but the user T> still exists. This means that mail is still received. If the T> user is commented out, the user ceases to exist, and mail bounces. ... But it would be nice to still se the user-name (rather than the number) in `ls -l` ... This is probably minor, though. But anyway ... Having lookups fail and reverse lookups success would do it ... Is this a security hole? A user who cant find 'sam' would be able to check all id's (0, 1, 2 ... 65535) and see if one returns 'sam' ... Does this matter? Is it a security flaw? Few network services (some file systems, no more afaik) go by the numeric user Id -- and those don't care at all for the name. What happens if user #4711 on a remote system makes a file on my NFS server, which has him commented out? The file will be, if he can find a directory he (his group or all) can write to. On the other hand, that is true if that user is entirely removed from my /etc/password entirely as well, and certainly if he's 'disabled by password' ... // Rasmus -- kaj@cityonline.se --------------- Rasmus Kaj - http://www.e.kth.se/~kaj/ \ CityOnLine IB Production AB - http://www.CityOnLine.se/ \---------------------- Never try to outstubborn a cat -- Lazarus Long To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980714235508I.kaj>