From owner-freebsd-stable Tue Jul 14 14:56:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA20653 for freebsd-stable-outgoing; Tue, 14 Jul 1998 14:56:32 -0700 (PDT) (envelope-from owner-freebsd-stable@FreeBSD.ORG) Received: from sussie.datadesign.se (ns.datadesign.se [194.23.109.130]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA20642 for ; Tue, 14 Jul 1998 14:56:29 -0700 (PDT) (envelope-from kaj@interbizz.se) Received: from localhost (sussie.datadesign.se [194.23.109.130]) by sussie.datadesign.se (8.8.5/8.8.7) with ESMTP id XAA06460; Tue, 14 Jul 1998 23:55:11 +0200 (MET DST) To: tom@uniserve.com Cc: paulo@nlink.com.br, wes@softweyr.com, jer@jorsm.com, freebsd-stable@FreeBSD.ORG Cc: kaj@interbizz.se Subject: Re: Finger and getpwent From: Rasmus Kaj In-Reply-To: Your message of "Tue, 14 Jul 1998 12:52:27 -0700 (PDT)" References: X-Mailer: Mew version 1.92.4 on XEmacs 20.4 (Emerald) X-URL: http://www.e.kth.se/~kaj/ X-Phone: +46 (0)8 - 692 35 09 / +46 (0)70 640 49 14 X-Attribution: Kaj X-Face: M9cR~WYav<"fu%MaslX0`43PAYY?uIsM8[#E(0\Xuy9rj>4gE\h3jm.7DD?]R8*^7T\o&vT U@[53Dwkuup4[0@gw#~kyu>`unH?kVj9CJa02(h>Ki\+i=%rn%sDf^KC.!?IHkKjMAbkd\jgmphp^' d|Q;OeXEAhq?ybGqOs1CHb6TJT42'C`Krnk61//AOfXtNjj/t'`5>Vw0QX!dKfOL$.f+S"LIuwR<;I Z0Qnnx(F^F]o@*V%TUtEV'1Z[TkOl^FFV9Z~A[b19%}uP*,huCU Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <19980714235508I.kaj@interbizz.se> Date: Tue, 14 Jul 1998 23:55:08 +0200 X-Dispatcher: imput version 971024 Lines: 33 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >>>>> "T" == Tom writes: T> On Tue, 14 Jul 1998, Paulo Fragoso wrote: >> I would like in future to use "#" in the beginning of the >> line. Because it's more visualy :-) T> It also has a very different effect. Munging the password field T> by adding a "*" simply disables all authentiction, but the user T> still exists. This means that mail is still received. If the T> user is commented out, the user ceases to exist, and mail bounces. ... But it would be nice to still se the user-name (rather than the number) in `ls -l` ... This is probably minor, though. But anyway ... Having lookups fail and reverse lookups success would do it ... Is this a security hole? A user who cant find 'sam' would be able to check all id's (0, 1, 2 ... 65535) and see if one returns 'sam' ... Does this matter? Is it a security flaw? Few network services (some file systems, no more afaik) go by the numeric user Id -- and those don't care at all for the name. What happens if user #4711 on a remote system makes a file on my NFS server, which has him commented out? The file will be, if he can find a directory he (his group or all) can write to. On the other hand, that is true if that user is entirely removed from my /etc/password entirely as well, and certainly if he's 'disabled by password' ... // Rasmus -- kaj@cityonline.se --------------- Rasmus Kaj - http://www.e.kth.se/~kaj/ \ CityOnLine IB Production AB - http://www.CityOnLine.se/ \---------------------- Never try to outstubborn a cat -- Lazarus Long To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message