Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!mit-eddie!bbn.com!nic!news.cs.brandeis.edu!chaos.cs.brandeis.edu!cos
From: cos@chaos.cs.brandeis.edu (Ofer Inbar)
Newsgroups: comp.admin.policy
Subject: /etc/passwd and generalizations
Message-ID: <cos.677569152@chaos.cs.brandeis.edu>
Date: 22 Jun 91 05:39:12 GMT
References: <20740@slice.ooc.uva.nl> <1991Jun13.114433.22530@rulway.LeidenUniv.nl> <Jun.13.12.24.51.1991.13029@pilot.njin.net>
Sender: usenet@news.cs.brandeis.edu
Organization: Brandeis University
Lines: 17

Two things I'd like to point out:

Any site on the Internet that runs fingerd is routinely giving away
login names to all who want them.  Login names are not difficult to
find, so the fact that /etc/passwd gives them away is no big deal (in
most cases).

There are legitimate uses for accounts with no passwords.  For
example, an account with a "login shell" of /bin/who.  Many of you
probably use these, and know about them, but are overlooking them when
you say things like "If I run grep :: /etc/passwd and get *anything*
back ..."

  --  Cos (Ofer Inbar)  --  cos@chaos.cs.brandeis.edu
  --  WBRS (BRiS)  --  WBRS@binah.cc.brandeis.edu  WBRS@brandeis.bitnet
 FidoNet: Ofer Inbar on 1:101/310  --  Ofer.Inbar@f310.n101.z1.fidonet.org
 The Boston Computer Society IBM PC User Group TBBS, (617) 332-5584