[1183] in linux-security and linux-alert archive
Re: [linux-security] Cfinger (Yet more :)
daemon@ATHENA.MIT.EDU (David Holland)
Sat Sep 28 08:14:57 1996
From: David Holland <dholland@hcs.harvard.edu>
To: gtaylor+linsec092396@picante.com (Grant Taylor)
Date: Tue, 24 Sep 1996 21:21:06 -0400 (EDT)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199609231821.OAA18717@pace.picante.com> from "Grant Taylor" at Sep 23, 96 02:21:02 pm
> > Aside from the fact that the standard rwho protocol is a complete
> > loss, this isn't a bad idea. The only problem is that rwho doesn't
> > give last login information. This may or may not be an issue.
>
> It's not an issue for me, since last login time is among the things I
> *don't* want to give out. You are certainly correct that the rwho
> protocol is pathetic, but it has the advantage of being already
> written and more or less adequate for single segment networks where
> you trust people.
And where there aren't many users.
> > (Also, why the fuss about fingerd? fingerd is just a wrapper that
> > runs finger.)
>
> Because I like different levels of information for random net users
> and local users. Local users are welcome to know where each other's
> mail goes, when foo was last on, etc. "Strangers" are welcome to know
> who's where now and only now, and whatever my users explicitly give
> away in .plan and .project.
Why not have fingerd pass finger an argument saying "hi, you're being
run from fingerd, restrict your output"...?
> I also have an unreasoning fear of any network sevice that runs
> commands derived from untrusted input, particularly when it's not
> subject to as much scrutiny as, say, sendmail or httpd.
finger's been subjected to a good deal of scrutiny.
--
- David A. Holland | Number of words in the English language that
dholland@hcs.harvard.edu | exist because of typos or misreadings: 381