Hi, On Wed, Nov 11, 2009 at 06:15:32PM -0700, Bob Proulx wrote: > [email protected] wrote: > > In old days, attackers used to create .project symbolic to passwd > > and group files to get the List of login ids and group via > > fingerd. > > The list of uids are already public in the /etc/passwd file. That file > is already world readable. Therefore it isn't clear to me how using > another command makes this a vulnerability.
Using fingerd, this could disclose login names to remote attackers. This, of course, does not apply to local invokation of some tool that uses normal user privileges. Erik -- A: Because it messes up the order in which people normally read text. Q: Why is it such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?
