Re: Keeping the webserver safe

To: "Jack T Mudge III" <jakykong@theanythingbox.com>
Cc: debian-security@lists.debian.org
Subject: Re: Keeping the webserver safe
From: "Izak Burger" <isburger@gmail.com>
Date: Mon, 6 Oct 2008 08:36:07 +0200
Message-id: <[🔎] e2e2e5500810052336o1c0d0d98g6e589f5ae027f730@mail.gmail.com>
In-reply-to: <[🔎] 200810051800.56694.jakykong@theanythingbox.com>
References: <[🔎] 20081005202708.58cac505.coolzone@it.dk> <[🔎] 42670320810051737t6948f6dbi1d93fcf932c2b179@mail.gmail.com> <[🔎] 200810051800.56694.jakykong@theanythingbox.com>

On Mon, Oct 6, 2008 at 3:00 AM, Jack T Mudge III
> Correct me if I've missed something, but isn't the /etc/passwd *supposed* to
> be world-readable, for example to translate UIDs to user names using the ls
> command?

Correct. NSS uses that file (in a standard setup) to translate uid's
to usernames. But there are other ways of going about it, but all of
them generally needs to be world readable.

The biggest problem imho with exposing /etc/passwd is not so much that
it allows you to easily obtain passwords (it doesn't if you use
shadowutils), but that it gives the attacker a list of valid usernames
for the system, something that makes an attack considerbly easier,
especially if one of your users used "password" or his username as a
password, or any other dictionary word for that matter.

regards,
Izak

Reply to:

References:
- Keeping the webserver safe
  - From: Rico Secada <coolzone@it.dk>
- Re: Keeping the webserver safe
  - From: "Dusty Wilson" <dusty@hey.nu>
- Re: Keeping the webserver safe
  - From: Jack T Mudge III <jakykong@theanythingbox.com>

Prev by Date: Re: Keeping the webserver safe
Next by Date: antivirus for webserver
Previous by thread: Re: Keeping the webserver safe
Next by thread: Re: Keeping the webserver safe
Index(es):
- Date
- Thread