0

Linux (and Unix) users can store in /etc/passwd not only the usual parameters (username, home directory, default shell, ...) but also: their names and surnames, addresses, phone numbers, etc.. In some Linux distributions, finger user1 can provide all this information to user1, and also to the other users in the same system and this is as expected.

As regards attackers, instead: who can read the /etc/passwd file can read this information; also, who can gain a user1 shell can run finger for any user.

1) Are there other undesirable ways to read those items?

2) What is the recommended way to (hopefully) confidentially and securely store this information?

BowPark
  • 109
  • 4

1 Answers1

3

1) The file itself is commonly read access to all in one form or another across distros. So I would always assume information in that file is public.

2) The better option is to store data in LDAP etc. If you do not want this information to be accessed for all to read.

ISMSDEV
  • 3,272
  • 12
  • 22