You're right - there is a security hole there. For example, I don't think it's a good idea that the password file is world readable since it gives information out that you may not want to share.
If you're using shadow password files (and you don't have any excuse not to): no, it doesn't.
If users can't read /etc/password then:
* "ls -l" doesn't work, because users can't map numbers to names.
* web servers (like apache) can't serve user directories, because it can't figure out where ~user is supposed to point.
* MTA's that don't run smtpd as root (like Courier, and probably Postfix) can't verify whether or not a user exists, so they will probably fail outright.
Other stuff breaks too, I'm sure. Those are just a few examples. User data, with the exception of authentication tokens, is not privileged information. Users *should* be able to read /etc/passwd.
-- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
