On Sun, Jan 16, 2005 at 09:51:44PM +0200, Stefanos Harhalakis wrote: > Package: login > Version: 1:4.0.3-30.7 > Severity: critical > Tags: security > Justification: root security hole > > > It seems that /var/log/btmp is created as a world readable file. > This is insecure (and it is reported by 'tiger') because this file > contains failed logins , including unknown usernames. Aren't the usernames alwyas visible in /etc/password?
> It is possible for a user to see the root password (and others too) > by running /usr/bin/lastb. lastb isn't show me any passwords; just valid usernames as seen in passwd and dates. Justin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
