Login functionality

Dagmar d'Surreal dagmar.wants at nospam.com
Thu Feb 19 09:32:34 PST 2004


On Wed, 2004-02-18 at 13:11, Ian Molton wrote:
> On Wed, 18 Feb 2004 20:39:33 +0200
> "Tarek W." <mailinglists1 at hotpop.com> wrote:
> 
> > how bout logging the username only if the username matches an entry in
> > /etc/passwd.
> 
> very bad. that leaks information - if the log grows its a valid username, no need to guess the uname anymore...

Beg pardon?  Normally lusers aren't going to be allowed to see the logs,
even though they will likely be able to see when it grows (unless you
o-r /var/log, which is no biggie), but they're definitely going to be
able to see /etc/passwd.  Remote users aren't going to have any idea
about what's going on in the system logs.
-- 
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org




More information about the hlfs-dev mailing list