Hi Bob I totally agree with you. In fact, after send mail, I realized that as far as its local, there is not vulnerabilities. Why the name of command was changed from "finger" to "pinky"? I liked new name, but there may be Some old scripts (copied from Unix to Linux) in which finger may have used. I suggested finger as a link to pinky.
I am happy, you replied me. Many times, I do not get replies to my queries. Thanks Hemant Rumde ING Boston -----Original Message----- From: Bob Proulx [mailto:[email protected]] Sent: Thursday, November 12, 2009 11:59 AM To: [email protected] Cc: [email protected]; Hemant Rumde; Singh, Sonny Subject: Re: Pinky command Erik Auerswald wrote: > Bob Proulx wrote: > > The list of uids are already public in the /etc/passwd file. That > > file is already world readable. Therefore it isn't clear to me how > > using another command makes this a vulnerability. > > Using fingerd, this could disclose login names to remote attackers. > This, of course, does not apply to local invokation of some tool that > uses normal user privileges. But in the case under discussion this could only be disclosed to remote attackers if a local user were to make that information available to them. This is no different than if a local user were to post this information to those remote attackers directly. Or mail it to them. As a local user you could copy all kinds of useful attack information onto your home web page. There isn't a way to prevent people with access to information from making it available if they want to do it. Bob --------------------------------------------------------- NOTICE: The information contained in this electronic mail message is confidential and intended only for certain recipients. If you are not an intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication and any attachments is strictly prohibited. If you have received this communication in error, please notify the sender by reply transmission and delete the message without copying or disclosing it. ============================================================================================
