Given the number 32149, who can convert this back to the username ?
1. Obviously I can, as I'm the user and it works okay.
2. Hopefully the 'sysadmin' can.
3. What about other users on the same server ?
4. Can anyone else convert the number back to the username ?
Peter
| [reply] |
$ grep 3214 /etc/passwd | head
This will show you the usernames/UID/GUIDs of all the users on your system (with a UID/GUID that m/3214/ to limit the result set as you have 32K users on that box)
| [reply]
[d/l] |
Hi,
The 'yes' on #1 and #2 is okay, but the 'yes' on #3 would concern me a bit. Example, a spammer signs up on the same server, registers as a customer on one of the E-commerce sites we run, and in the confirmation email is now the UID, which is safer than 'username' to the general public, but it's not rocket-science for this (new) spammer to check the email hdrs, see it is from the same server, and convert the UID back to a username. Still, using the UID is much, much better than before.
I guess the 'yes' on #4, with the qualified 'hack necessary' would be the case for any sort of 'conversion' of the username. I wonder if we should look into the crypt() function as someone suggested ?
Try this (the $ is the system prompt):
$ grep 3214 /etc/passwd | head
This will show you the usernames/UID/GUIDs of all the users on your system (with a UID/GUID that m/3214/ to limit the result set as you have 32K users on that box)
I do have shell access, but I'd best ask the sysadmin/hosts if I can do that first, as I don't know if they would approve of it or not (I don't know if it would be considered suspect activity or not ??).
Thanks,
Peter
| [reply] |
The best answer of course, is "Try it and see". On my box at least, any user can get the user name back from the uid. There might be ways to prevent this, but I'm not sure if that would break other stuff.
| [reply] |