Re: Small Bug
On Sun, Mar 05, 2000 at 09:36:26AM -0500, Guy's Account wrote:
> > The user login name is often very exposed, for example in email addresses,
> > log files etc. If you already have an account, you can usually just list
> > /home to get all user names of a system.
>
> But the problem pointed out allows an attacker *without* an account to gain
> information.
The second sentence is only meant as an addition to the first. It holds that
not on all sites the username is a secret, often it is public knowledge
(again, email addresses use it).
Also, as an administrator, you don't have control over your users. Any user
may choose to undermine your security policy and hand out a list of user
names to anyone. You can only protect against this by having no users, in
this case you can have additional measures.
The knowledge of a user name is not a security problem. If it would be, our
password mechanism would be useless.
Thanks,
Marcus
--
`Rhubarb is no Egyptian god.' Debian http://www.debian.org Check Key server
Marcus Brinkmann GNU http://www.gnu.org for public PGP Key
Marcus.Brinkmann@ruhr-uni-bochum.de, marcus@gnu.org PGP Key ID 36E7CD09
http://homepage.ruhr-uni-bochum.de/Marcus.Brinkmann/ brinkmd@debian.org
Reply to: