[1183] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] Cfinger (Yet more :)

daemon@ATHENA.MIT.EDU (David Holland)
Sat Sep 28 08:14:57 1996

From: David Holland <dholland@hcs.harvard.edu>
To: gtaylor+linsec092396@picante.com (Grant Taylor)
Date: Tue, 24 Sep 1996 21:21:06 -0400 (EDT)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199609231821.OAA18717@pace.picante.com> from "Grant Taylor" at Sep 23, 96 02:21:02 pm

 > > Aside from the fact that the standard rwho protocol is a complete
 > > loss, this isn't a bad idea. The only problem is that rwho doesn't
 > > give last login information. This may or may not be an issue.
 > 
 > It's not an issue for me, since last login time is among the things I
 > *don't* want to give out.  You are certainly correct that the rwho
 > protocol is pathetic, but it has the advantage of being already
 > written and more or less adequate for single segment networks where
 > you trust people.

And where there aren't many users.

 > > (Also, why the fuss about fingerd? fingerd is just a wrapper that
 > > runs finger.)
 > 
 > Because I like different levels of information for random net users
 > and local users.  Local users are welcome to know where each other's
 > mail goes, when foo was last on, etc.  "Strangers" are welcome to know
 > who's where now and only now, and whatever my users explicitly give
 > away in .plan and .project.

Why not have fingerd pass finger an argument saying "hi, you're being
run from fingerd, restrict your output"...?

 > I also have an unreasoning fear of any network sevice that runs
 > commands derived from untrusted input, particularly when it's not
 > subject to as much scrutiny as, say, sendmail or httpd.

finger's been subjected to a good deal of scrutiny.

-- 
   - David A. Holland          | Number of words in the English language that
     dholland@hcs.harvard.edu  | exist because of typos or misreadings: 381

home help back first fref pref prev next nref lref last post