[1167] in linux-security and linux-alert archive
[linux-security] Cfinger
daemon@ATHENA.MIT.EDU (Roscinante)
Thu Sep 19 14:20:10 1996
Date: Thu, 19 Sep 1996 12:26:23 -0400 (EDT)
From: Roscinante <rosc@fbn.globalent.net>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199609191334.JAA00470@tarsier.cv.nrao.edu>
> From: Janos Farkas <chexum@shadow.banki.hu>
> Date: Wed, 18 Sep 1996 18:34:43 +0200 (MET DST)
> Subject: Re: [linux-security] Finger Doubt
> I have sent the author a letter, but never got any reply back (it's 3
> months later now!), so I just take the opportunity to warn the public
> against its use.
I had noticed that v1.2.2 had a 'finger.log' that could be written to a users
homedir, and saw it wrote it as root. Big hole. I wrote the author, and he
did some fixes, so now at least it changes uid to that of the user, so please
look at cfingerd-1.2.3, and let us know if it's still a major security hole. I
asked the author if he could change the program to not need root, but I
suppose that would be major re-writing. Perhaps someone else can rewrite it,
it's beyond my experience to do so. I am forwarding these messages to the
cfinger mailing list, maybe the author will take action.
~~
All that is gold does not glitter.. .
Not all those who wander are lost..J.R..R.T. . /\ .
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ._____// \\_____.
And the knowledge that they fear . \\ Rush // .
is a weapon to be held against them.. N.P. . \\ 2112 // .
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ . // /\ \\ .
Ghost in the Machine (wraith@styx.ios.com) I[[[[[[[[]]]]]]]]I
Roscinante (rosc@fbn.globalent.net)
http://www.globalent.net/users/fbn