[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keeping the webserver safe

On Mon, Oct 6, 2008 at 3:00 AM, Jack T Mudge III
> Correct me if I've missed something, but isn't the /etc/passwd *supposed* to
> be world-readable, for example to translate UIDs to user names using the ls
> command?

Correct. NSS uses that file (in a standard setup) to translate uid's
to usernames. But there are other ways of going about it, but all of
them generally needs to be world readable.

The biggest problem imho with exposing /etc/passwd is not so much that
it allows you to easily obtain passwords (it doesn't if you use
shadowutils), but that it gives the attacker a list of valid usernames
for the system, something that makes an attack considerbly easier,
especially if one of your users used "password" or his username as a
password, or any other dictionary word for that matter.


Reply to: