I have kept quiet about this to this point because I have not contacted Apple, or given the vendor any opportunity to respond, but if this discussion is going to be held in public, I think the following points are worthy of discussion: * /usr/bin/nireport can be run by any user and can pull essentially the same information (including cyphertext passwords and password hints). * /usr/bin/nidump can be used for pretty much the same thing. Either of these can be run by any user, regardless of whether or not that user exists in the sudoers file (which is to say whether or not that user is allowed to "admin" the box). * The netinfo GUI (/Applications/Utilities/NetInfo Manager.app/Contents/MacOS/NetInfo Manager) is suid to root and will give out this information without requiring authentication. My system is running 10.0.4 (build 4Q12) with the Web Sharing update installed. echo8
This archive was generated by hypermail 2b30 : Mon Sep 03 2001 - 21:19:40 PDT