Re^3: Can the username be represented differently ?

Replies are listed 'Best First'.
Re^4: Can the username be represented differently ? by tachyon (Chancellor) on Jun 28, 2004 at 10:00 UTC
Yes Yes Yes Yes* * But they would probably have to hack it. Try this (the $ is the system prompt): `$ grep 3214 /etc/passwd \| head` [download] This will show you the usernames/UID/GUIDs of all the users on your system (with a UID/GUID that m/3214/ to limit the result set as you have 32K users on that box) cheers tachyon	[reply] [d/l]
Re^5: Can the username be represented differently ? by peterr (Scribe) on Jun 28, 2004 at 13:06 UTC
Hi, The 'yes' on #1 and #2 is okay, but the 'yes' on #3 would concern me a bit. Example, a spammer signs up on the same server, registers as a customer on one of the E-commerce sites we run, and in the confirmation email is now the UID, which is safer than 'username' to the general public, but it's not rocket-science for this (new) spammer to check the email hdrs, see it is from the same server, and convert the UID back to a username. Still, using the UID is much, much better than before. I guess the 'yes' on #4, with the qualified 'hack necessary' would be the case for any sort of 'conversion' of the username. I wonder if we should look into the crypt() function as someone suggested ? Try this (the $ is the system prompt): $ grep 3214 /etc/passwd \| head This will show you the usernames/UID/GUIDs of all the users on your system (with a UID/GUID that m/3214/ to limit the result set as you have 32K users on that box) I do have shell access, but I'd best ask the sysadmin/hosts if I can do that first, as I don't know if they would approve of it or not (I don't know if it would be considered suspect activity or not ??). Thanks, Peter	[reply]
Re^6: Can the username be represented differently ? by gellyfish (Monsignor) on Jun 28, 2004 at 13:40 UTC
The 'yes' on #1 and #2 is okay, but the 'yes' on #3 would concern me a bit. Unfortunately you are stuck with this - most operating system and their utilities do rely quite heavily on the ability for arbitrary users to do username <-> UID lookup. Think of 'ls' or 'who' for instance ... /J\	[reply]
Re^7: Can the username be represented differently ? by peterr (Scribe) on Jun 29, 2004 at 04:53 UTC
Re^6: Can the username be represented differently ? by tachyon (Chancellor) on Jun 28, 2004 at 17:11 UTC
height="$image_data->{review}->{height}" width="$image_data->{review}->{width}" Don't be such a weenie. On nix if you are not allowed to see it it won't (shouldn't) be readable by you. As noted anyone* with a shell can read /etc/passwd. This gets you all the username on the system. In days long past the password hash was also stored in /etc/passwd. crypt is a one way hashing function ie you can test if `'$1$nGQrri05$TxwHgtGUu9o95ietow9r43' eq crypt( $password, $salt )` but you can't 'decrypt' the password directly. crack and other (in)famous pieces of software will let you brute force crypted password by testing every possible combination or more usually a dictionary against crypt strings. Anyway if you want to add a header that can't easily be turned into a valid username but that can be decrypted with ease by the appropriate people I would suggest a symetrical cipher like Crypt::Blowfish. All you need to do is keep the encoding key secret. Still it looks like there are 30,000+ accounts that can all read /etc/passwd so the point seems moot. cheers tachyon	[reply] [d/l]
Re^7: Can the username be represented differently ? by peterr (Scribe) on Jun 29, 2004 at 05:18 UTC
Re^8: Can the username be represented differently ? by tachyon (Chancellor) on Jun 29, 2004 at 09:57 UTC
Re^4: Can the username be represented differently ? by BUU (Prior) on Jun 28, 2004 at 07:42 UTC
The best answer of course, is "Try it and see". On my box at least, any user can get the user name back from the uid. There might be ways to prevent this, but I'm not sure if that would break other stuff.	[reply]