Date: Wed, 14 Oct 1998 07:26:39 +0300 (EEST) From: Evren Yurtesen <yurtesen@ispro.net.tr> To: Ben Smithurst <ben@scientia.demon.co.uk> Cc: Doug White <dwhite@resnet.uoregon.edu>, freebsd-questions@FreeBSD.ORG Subject: Re: pwd.db? Message-ID: <Pine.BSF.3.96.981014072436.29820A-100000@finland.ispro.net.tr> In-Reply-To: <19981013165236.A945@scientia.demon.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 13 Oct 1998, Ben Smithurst wrote:
> Evren Yurtesen wrote:
>
> > ok then, but would not it be more secure if you have maden the
> > password files be able to read only by wheel group?
>
> I don't see why, neither master.passwd or passwd, or the .db files they
> are converted to contain passwords in plain text. I certainly can't see
> a security risk with having /etc/{passwd,pwd.db} world readable.
>
> > for example I would not want somebody to get my passwd file and
> > put it to web to show all usernames on my system and the real names
> > corresponding to those login names (also I guess nobody would like
> > that idea) or somebody may send email to all my users from that passwd
> > file, is not it?
>
> Make sure your users are not so clueless then, and if they do such a
> thing, rmuser(8) is your friend :-)
how can I know if somebody did it? somebody can telnet to my isp and
then copy the passwd file to a file called a.txt in their home directory
and then get it with ftp then delete the a.txt and .history files,
so how can I know who got my passwd file?
> > but those files are readable by public which means that anyone
> > who as account on my system can access to them, why is that ?
>
> Why not? There are other ways to find out valid usernames.
>
> $ cd /home
> $ ls
>
> may work (depending on where your home directories are). True, you could
> `chmod o-r /home' but I really can't see the point.
>
> $ cd /var/mail
> $ ls
>
can't I make home directory just readable by root too ?
is not it possible for people to be able to read just their home
directories?
> to see who has a mailbox, which most users will have even if it's empty.
> (see above if you really want to make it tight `chmod o-r /var/mail')
>
> --
> Ben Smithurst ben@scientia.demon.co.uk
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981014072436.29820A-100000>