Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!spool.mu.edu!news.nd.edu!mentor.cc.purdue.edu!woodcock From: woodcock@mentor.cc.purdue.edu (Bruce Sterling Woodcock) Newsgroups: comp.admin.policy Subject: Re: Student suspended for distributing /etc/passwd Message-ID: <13457@mentor.cc.purdue.edu> Date: 12 Jun 91 16:28:59 GMT References: <31124@hydra.gatech.EDU> <1991Jun12.112633.14888@rulway.LeidenUniv.nl> Organization: Nicer Mudders for a Better Tomorrow, Inc. Lines: 29 In article <1991Jun12.112633.14888@rulway.LeidenUniv.nl> crissl@rulcvx.LeidenUniv.nl (Stefan Linnemann) writes: > >/etc/passwd is a security risk, that has not been plugged, yet. Depends on where you are. Many places have implemented the /etc/shadow system and it seems to have plugged most of the security hole. While I agree that the student did a *very* stupid and harmful thing, I would still like to note that to the student, the /etc/passwd file was readable. It could be very likely that a large percentage of UNIX users haven't been told that the /etc/passwd file is "off-limits" and that allowing someone to read it is a security risk. The only thing, IMHO, that condemns the student to such discipline in this case is that he knew that mailing out the /etc/passwd file was assist someone in breaking into the system. At least they say he knew; how this was determined I don't know. In any case, I can imagine a similar situation, wherein a truly clueless user could make copies of the /etc/passwd file without any knowledge that what they were doing was wrong. In such cases it would be difficult to support punishing the user so severely. Perhaps if more time had been put into educating the user of the guidelines, the problem would not arise. Bruce -- | woodcock@mentor.cc.purdue.edu | "That's Bruce for ya, always jumping | | sirbruce@gnu.ai.mit.edu | on the bandwagon, even if it's | | sterling@maxwell.physics.purdue.edu | running over him." -- Xeno | | Bruce@Asylum/CaveMUCK/FurryMUCK | "I view muds as dying." -- Firefoot |