On Thu, Apr 24, 2003 at 01:32:50PM -0300, Jorge Merlino wrote: > I don't think that is a vulnerability. > The file /etc/master.passwd has read access for all users. Monitor can also > read it in a ssh session. > I you try that URL in a file with, let's say, 660 permissions you get a > blank page. Ummm... What am I missing here? Does it seem _crazy_ to anybody else that the permissions on the file containing some of the most sensitive information on the system would have read access to all users? This is clearly NOT the default on any of the BSD systems (including the one from which IPSO is derived) that I am aware of. Can anybody else confirm the permissions required to read the file? Can anybody else confirm that the /etc/master.passwd file is a+r? I would have to call this a vulnerability either way.... -visigoth
