gdm Create User
ssorce at redhat.com
Sun Oct 7 14:37:28 UTC 2007
On Sun, 2007-10-07 at 14:26 +0200, Lubomir Kundrak wrote:
> On Sat, 2007-10-06 at 18:18 -0400, Simo Sorce wrote:
> > Leaking the information that a user exists or not is considered bad.
> Though I do not think that gdm is the right place to create user
> accounts, I disagree with this statement.
> Knowing that an user exists or not is in principle about the same
> dangerous as knowing whether a machine is up or not. Or should we
> declare ping to be a security threat?
Don't ask me, I do not agree with it :), as discovering user information
is usually very easy anyway, I just reported what many security
"experts" say or have said and how it is implemented in a lot of
software where returning "User not Found" has been replace in time.
More information about the fedora-devel-list