I would agree that this isn't the best configuration and should probably be changed, but I would like to know how many people are putting untrusted user accounts on a Nokia box? Shawn Duffy, CCNA CCSA email: pakkit at codepiranha dot org web: http://codepiranha.org/~pakkit gpg key: http://codepiranha.org/~pakkit/pakkit.asc gpg fpr: 8988 6FB6 3CFE FE6D 548E 98FB CCE9 6CA9 98FC 665A having problems reading email from me? http://codepiranha.org/~pakkit/pgp-trouble.html On Thu, 24 Apr 2003, Damieon Stark wrote: > On Thu, Apr 24, 2003 at 01:32:50PM -0300, Jorge Merlino wrote: > > I don't think that is a vulnerability. > > The file /etc/master.passwd has read access for all users. Monitor can also > > read it in a ssh session. > > I you try that URL in a file with, let's say, 660 permissions you get a > > blank page. > > Ummm... What am I missing here? Does it seem _crazy_ to anybody else that > the permissions on the file containing some of the most sensitive information > on the system would have read access to all users? This is clearly NOT > the default on any of the BSD systems (including the one from which IPSO is > derived) that I am aware of. > > Can anybody else confirm the permissions required to read the file? Can > anybody else confirm that the /etc/master.passwd file is a+r? > > I would have to call this a vulnerability either way.... > > -visigoth > > >
