erin@otago.ac.nz (John Gee) (06/18/91)
Whether the action taken by the university on this occasion was justified is hard to say without hearing the full story. No doubt that will be resolved at the suspension hearing :-) As a naive user I would think the file was readable and so I could give it to people. As a sysadmin I would garrot him. So without deciding which hat to wear, some comments on a previous followup: In article <1911@vtserf.cc.vt.edu>, marchany@vtserf.cc.vt.edu (Randy Marchany) writes: > In article <PCG.91Jun14182440@aberdb.aber.ac.uk> pcg@aber.ac.uk (Piercarlo Grandi) writes: >> >>No. The point is: what the student did was not improper. There was a >>file readable to all. ^^^ I think *all* needs clarifying. We have no reason to assume that the file was readable by anonymous users. I agree that the file would have been readable by all registered, password verified users. I take exception with your comment that the action was "not improper"! Supposedly the student mailed a password file to an offsite person, so said person could attempt to break onto usercodes. A person is not judged guilty of an ILLEGAL act until proved guilty, but surely a person mailing /etc/passwd offsite to a cracker without the agreement of the sysadmin is clearly committing an IMPROPER act! >> He took a copy of it, and gave it to somebody >>else. Had he had done so with /etc/motd, would that have been a breach >>of security? Clearly not. So this guy was suspended for having done >>something that was thoroughly harmless. There is a proven potential for unauthorised access to a system to be gained by analyzing /etc/passwd. Is what the guy did thoroughly harmless in the eyes of the sysadmin, users who rely on the integrity of the system, and whoever pays for it? [...] And from Randy Marchany: > Once again, sites need to DEFINE their policy and EDUCATE their user > community and if the users AGREE to abide by that policy, we have no > right to denigrate a particular site's handling of a policy violation. > Sysadmins need to formulate a DRAFT policy and obtain the support of > their administration (pres., vice-pres., dean, etc.) to enforce it. > > -Randy Marchany > VA Tech Computing Center > Blacksburg, VA 24060 > > INTERNET: marchany@vtserf.cc.vt.edu > "my opinions are my own" These are good words! People can argue about the policy, whether it is right or wrong, but whether you agree to abide by it is a separate issue. -- The views expressed here are my own, and not necessarily those of my employer. John Gee University of Otago, New Zealand erin@otago.ac.nz (Internet)