[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Pinky command
Hemant . Rumde
RE: Pinky command
Thu, 12 Nov 2009 15:16:34 -0500
I totally agree with you. In fact, after send mail, I realized that as
far as its local, there is
Why the name of command was changed from "finger" to "pinky"? I liked
new name, but there may be
Some old scripts (copied from Unix to Linux) in which finger may have
I suggested finger as a link to pinky.
I am happy, you replied me. Many times, I do not get replies to my
From: Bob Proulx [mailto:address@hidden
Sent: Thursday, November 12, 2009 11:59 AM
Cc: address@hidden; Hemant Rumde; Singh, Sonny
Subject: Re: Pinky command
Erik Auerswald wrote:
> Bob Proulx wrote:
> > The list of uids are already public in the /etc/passwd file. That
> > file is already world readable. Therefore it isn't clear to me how
> > using another command makes this a vulnerability.
> Using fingerd, this could disclose login names to remote attackers.
> This, of course, does not apply to local invokation of some tool that
> uses normal user privileges.
But in the case under discussion this could only be disclosed to remote
attackers if a local user were to make that information available to
them. This is no different than if a local user were to post this
information to those remote attackers directly. Or mail it to them. As
a local user you could copy all kinds of useful attack information onto
your home web page. There isn't a way to prevent people with access to
information from making it available if they want to do it.
NOTICE: The information contained in this electronic mail message is
confidential and intended only for certain recipients. If you are not an
intended recipient, you are hereby notified that any disclosure, reproduction,
distribution or other use of this communication and any attachments is strictly
prohibited. If you have received this communication in error, please notify
the sender by reply transmission and delete the message without copying or