On Sun, 2007-10-07 at 14:26 +0200, Lubomir Kundrak wrote: > On Sat, 2007-10-06 at 18:18 -0400, Simo Sorce wrote: > > Leaking the information that a user exists or not is considered bad. > > Though I do not think that gdm is the right place to create user > accounts, I disagree with this statement. > > Knowing that an user exists or not is in principle about the same > dangerous as knowing whether a machine is up or not. Or should we > declare ping to be a security threat? Don't ask me, I do not agree with it :), as discovering user information is usually very easy anyway, I just reported what many security "experts" say or have said and how it is implemented in a lot of software where returning "User not Found" has been replace in time. Simo. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
