Linux (and Unix) users can store in /etc/passwd
not only the usual parameters (username, home directory, default shell, ...) but also: their names and surnames, addresses, phone numbers, etc.. In some Linux distributions, finger user1
can provide all this information to user1
, and also to the other users in the same system and this is as expected.
As regards attackers, instead: who can read the /etc/passwd
file can read this information; also, who can gain a user1
shell can run finger
for any user.
1) Are there other undesirable ways to read those items?
2) What is the recommended way to (hopefully) confidentially and securely store this information?