This is an abolutely worhtless exploit.It's much easier to break into a system if you can determine whether an account exists or not. If you can get into a system as an unpriviledged user then you can exploit local weaknesses to get to root. For example, you might be able to mount a dictionary attack on a password file, you might find a weak root-setuid program, you might be able to install a tojan horse.
So they can tell if an account exists on the system.
If you can determine the existance of an account you are well on the way to being able to get into a system -- think about it. Suppose your collegue has a weak password based on something easily guessable. If the hacker can get determine the existance of a username, then he's practically in -- the password is not a barrier.
It's only a worthless exploit to someone not interested in hacking your system.
jch
-- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list
