[1167] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Cfinger

daemon@ATHENA.MIT.EDU (Roscinante)
Thu Sep 19 14:20:10 1996

Date: Thu, 19 Sep 1996 12:26:23 -0400 (EDT)
From: Roscinante <rosc@fbn.globalent.net>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199609191334.JAA00470@tarsier.cv.nrao.edu>


> From: Janos Farkas <chexum@shadow.banki.hu>
> Date: Wed, 18 Sep 1996 18:34:43 +0200 (MET DST)
> Subject: Re: [linux-security] Finger Doubt

> I have sent the author a letter, but never got any reply back (it's 3
> months later now!), so I just take the opportunity to warn the public
> against its use.

I had noticed that v1.2.2 had a 'finger.log' that could be written to a users
homedir, and saw it wrote it as root.  Big hole. I wrote the author, and he
did some fixes, so now at least it changes uid to that of the user, so please
look at cfingerd-1.2.3, and let us know if it's still a major security hole. I
asked the author if he could change the program to not need root, but I
suppose that would be major re-writing.  Perhaps someone else can rewrite it,
it's beyond my experience to do so.   I am forwarding these messages to the
cfinger mailing list, maybe the author will take action.

~~
 All that is gold does not glitter..                      .
 Not all those who wander are lost..J.R..R.T.        .     /\     .
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    ._____//  \\_____.
And the knowledge that they fear                 . \\    Rush    // .
is a weapon to be held against them.. N.P.       .   \\  2112  //   .
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    .  //   /\   \\  .
Ghost in the Machine (wraith@styx.ios.com)        I[[[[[[[[]]]]]]]]I
Roscinante (rosc@fbn.globalent.net)
http://www.globalent.net/users/fbn

home help back first fref pref prev next nref lref last post