[Discuss] Dropping obsolete commands (Linux Pocket Guide)

[invalid at pizzashack.org (Derek Martin)]

On Wed, Nov 18, 2015 at 08:53:43PM -0500, Bill Ricker wrote:
> But if an unprivileged user wants to change their FN without simultaneously
> filing paperwork with HR to update payroll, insurance, etc, we should be
> triggering the IDS, not letting them insert impressive social-engineering
> "credentials" in the GECOS fields willy-nilly.

The reality is this is probably not very interesting, from a security
standpoint.  Nothing at your company should rely on the GECOS field
being accurate for security purposes.  At most it is ONE of MANY ways
to forge your identity on an outgoing e-mail, but the prevalence of
such methods makes that completely uninteresting.  Most e-mail clients
let you tell them who you are, and ignore what's in GECOS anyway.

Your sysadmins should know what users belong to what *USER IDs*,
regardless of what's in GECOS, and the field just isn't used for
anything else that's remotely sensitive.

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.