The 'yes' on #1 and #2 is okay, but the 'yes' on #3 would concern me a bit.

Unfortunately you are stuck with this - most operating system and their utilities do rely quite heavily on the ability for arbitrary users to do username <-> UID lookup. Think of 'ls' or 'who' for instance ...

/J\

Hi,

most operating system and their utilities do rely quite heavily on the ability for arbitrary users to do username <-> UID lookup. Think of 'ls' or 'who' for instance

Okay, I didn't know I could do it, nor did I know if was 'allowed' to do it. I've just changed web hosts and the last thing I want is a 'slap on the wrist' from the new hosts, for doing something I shouldn't be. I'm very ignorant of these things.

Thanks,

Peter

height="$image_data->{review}->{height}" width="$image_data->{review}->{width}"

Don't be such a weenie. On *nix if you are not allowed to see it it won't (shouldn't) be readable by you. As noted *anyone* with a shell can read /etc/passwd. This gets you all the username on the system. In days long past the password hash was also stored in /etc/passwd. crypt is a one way hashing function ie you can test if '$1$nGQrri05$TxwHgtGUu9o95ietow9r43' eq crypt( $password, $salt ) but you can't 'decrypt' the password directly. crack and other (in)famous pieces of software will let you brute force crypted password by testing every possible combination or more usually a dictionary against crypt strings.

Anyway if you want to add a header that can't easily be turned into a valid username but that can be decrypted with ease by the appropriate people I would suggest a symetrical cipher like Crypt::Blowfish. All you need to do is keep the encoding key secret. Still it looks like there are 30,000+ accounts that can all read /etc/passwd so the point seems moot.

Hi tachyon,

height="$image_data->{review}->{height}"
width="$image_data->{review}->{width}"

Don't be such a weenie.

I didn't understand the code, but no doubt it's because I'm a weenie. :D

On *nix if you are not allowed to see it it won't (shouldn't) be readable by you. As noted *anyone* with a shell can read /etc/passwd.

Okay, something new I've learnt today. Just thought if it wasn't readable by me, and if I tried, I might be considered a naughty boy. :D

This gets you all the usernames on the system. In days long past the password hash was also stored in /etc/passwd. crypt is a one way hashing function i.e you can test if

'$1$nGQrri05$TxwHgtGUu9o95ietow9r43' eq crypt( $password, $salt )

but you can't 'decrypt' the password directly. crack and other (in)famous pieces of software will let you brute force crypted password by testing every possible combination or more usually a dictionary against crypt strings.

Okay, understand more now, thanks. I know I can't do anything much about someone trying to crack things or brute force their way in, but my overall objective with this is to be responsible with secure data, and I consider login usernames to websites, as secure data.

Anyway if you want to add a header that can't easily be turned into a valid username but that can be decrypted with ease by the appropriate people I would suggest a symetrical cipher like Crypt::Blowfish. All you need to do is keep the encoding key secret. Still it looks like there are 30,000+ accounts that can all read /etc/passwd so the point seems moot.

Well, I have no idea why the UId# for my account is so high, when there are only approx. 200+ domains on the server ? It wouldn't really matter how many accounts there were if the UID is encrypted though, and the encoding is kept secret, although in theory, the more the (encrypted) UID is made public, the greater the chance of cracking ??

Thanks for all your help,

Peter

Oops, looks like I pasted some code I was working on in by mistake! I meant to quote your bit about if I grep the password file will anyone get mad. A: no, no and no-one will even notice/know. Who's a weenie now :P LOL then ROTFL.

Anyway if you do cat /etc/passwd >passwords; more passwords you will be able to scroll through all the usernames/UID/GUID at you leisure. If you encipher the UID with Blowfish you can relax until I read your secret key so this wodget should be owned by root. Most hacks (like most robberies) don't try to break down the armour plated door. They sneak in through the open back door/window/sewer....

If you knew more about what you fear you would be far more nervous about the versions of Bind, SSH, Apache, FTP, etc, etc that run on your server. No one is really going to try to brute force passwords given a list of usernames (without the crypt hashes) when all they need to do is hack a daemon to get root. Even if I get a user account I still need to get root. Paranoia is fine. Focussed paranoia is more effective.....

cheers

tachyon