On Wed, Jul 09, 2003 at 11:31:29AM -0700, Gordon Messmer wrote: > Ed Wilts wrote: > > > > You're right - there is a security hole there. For example, I don't > > think it's a good idea that the password file is world readable since it > > gives information out that you may not want to share. > > If you're using shadow password files (and you don't have any excuse not > to): no, it doesn't.
Yes it does, even with shadow passwords. If you give a local user the list of all the userids on the system, he's got a head start on ids he can crack. Give him the last login time, and he's even better off - now he knows that if crack Joe Blow's account, and Joe only signs on once a month (as last while show), his nefarious activity might be hidden for a while longer. The more information you make public, the less secure you should feel. For the record, if I'm being authenticated by an ldap entry, ls -l still works, even though I'm not even in /etc/passwd. > If users can't read /etc/password then: > * "ls -l" doesn't work, because users can't map numbers to names. > * web servers (like apache) can't serve user directories, because it > can't figure out where ~user is supposed to point. > * MTA's that don't run smtpd as root (like Courier, and probably > Postfix) can't verify whether or not a user exists, so they will > probably fail outright. > > Other stuff breaks too, I'm sure. Those are just a few examples. User > data, with the exception of authentication tokens, is not privileged > information. Users *should* be able to read /etc/passwd. I disagree with the last comment. I know why it works that way and understand that, but that doesn't mean it's the best way. That's just the way it is, for better or for worse. You could, for example, solve some of the issues with proper use of access control lists and various privilege models (a la VMS). On VMS, for example, the system username file is not world readable. You know what, dir/full works. Web servers are still able to serve user directories, and mail still works. It's just different. I don't believe it's any of non-priv'ed user to be able to tell when another user signed on (which is currently public) and what groups that user is a member of (with the id command). That sort of information is just waiting to be abused. -- Ed Wilts, Mounds View, MN, USA mailto:[EMAIL PROTECTED] Member #1, Red Hat Community Ambassador Program -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
