Re: Keeping the webserver safe
On Mon, Oct 6, 2008 at 3:00 AM, Jack T Mudge III
> Correct me if I've missed something, but isn't the /etc/passwd *supposed* to
> be world-readable, for example to translate UIDs to user names using the ls
Correct. NSS uses that file (in a standard setup) to translate uid's
to usernames. But there are other ways of going about it, but all of
them generally needs to be world readable.
The biggest problem imho with exposing /etc/passwd is not so much that
it allows you to easily obtain passwords (it doesn't if you use
shadowutils), but that it gives the attacker a list of valid usernames
for the system, something that makes an attack considerbly easier,
especially if one of your users used "password" or his username as a
password, or any other dictionary word for that matter.