[1187] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] Finger Doubt

daemon@ATHENA.MIT.EDU (Igor Chudov @ home)
Wed Oct 2 06:26:06 1996

To: richard@hekkihek.hacom.nl
Date: Tue, 1 Oct 1996 18:54:10 -0500 (CDT)
Cc: linux-security@tarsier.cv.nrao.edu
Reply-To: ichudov@algebra.com (Igor Chudov)
In-Reply-To: <526ss0$26q@zeus.hekkihek.hacom.nl> from "Richard Huveneers" at Sep 23, 96 08:44:48 pm
From: ichudov@algebra.com (Igor Chudov @ home)

Here's my fingerd, it does not give any dynamic information about
users and lets them customize what they want to be shown (see comments).
It also lets sysadmin customize the site banner. 

let me know if you like it. 



#!/usr/local/bin/perl
#
# This is a replacement for my previous accept_finger SHELL script.
#
# This script shows only user name and .plan and .project. No 
# security-sensitive information such as shells, dirs, login times, etc
# is shown.
#
# This perl script has the following advantages: 
#   1) it is shorter than the shell script
#   2) it works MUCH faster
#   3) it is more secure
#########################################################################
#
# Note that users can customize information about them in three ways:
#   1) Create file $HOME/.nosuchuser. This will make the daemon pretend
#      like these users do not exist. Helps against spanking.
#
#   2) Create file $HOME/.nofinger. This will make the daemon to refuse
#      giving out ANY information about you. However, it will give
#      an indication that a user with your name exists on the system.
#      (see item 1)).
#
#   3) Create file /etc/issue.finger with some banner about your site
#
#   You can also customize logging (see below).
#
#   If you do these customizations, MAKE SURE USERS' DIRECTORYS ARE WORLD
#   EXECUTABLE!!!!
##########################################################################
# 
# This is a FREE software and comes with no warranty. See GNU Public
# License for details. ichudov@algebra.com
##########################################################################

#
############################################################### customization
# define logger args
$NeedLogger = 1; # set to 0 if you do not want logging
@LoggerArgs = ( "/usr/bin/logger", "-p", "local3.notice" );

#
######################################################################
# get username from the socket
$user = <STDIN>; 
chop $user; chop $user; # \n\r in the query, need to chop twice.
$user = substr( $user, 0, 15 ); # to protect against logger bugs

#
###################################################################### log
# Log the event
@Logger = (@LoggerArgs, "User $user has been fingered" );

if( $NeedLogger ) {
  $child = fork;
  if( $child == 0 ) { # in child
    exec @Logger; # exec should be secure I think.
  }
}

$found = 0;

###################################################################### CatFile
# outputs file to stdout
sub CatFile {
  local( $fname ) = pop( @_ );
  open( FILE, $fname );
    while( <FILE> ) {
      print;
    }
  close( $fname );
}

####################################################### print nice banner
if( -r "/etc/issue.finger" ) {
  &CatFile( "/etc/issue.finger" );
} else {
  print "* * * * * * * * * * * Privacy-Enhanced finger server " .
        "* * * * * * * * * * *\n";
  print "==========================================" .
        "================================\n";
}

######################################################################
# read user database. If you work on BSD types of Unixes, you 
# may want to customise operator marked by !!!!
open( PASSWD, "/etc/passwd" );

while( <PASSWD> ) {
  # you may need to customize this
  ($name, $pw, $uid, $gid, $realname, $home, $shell) = split( /:/ ); # !!!!

  if( $name eq $user ) {
    # OK, user found. now, what to do?

    if( -f "$home/.nosuchuser" ) { 
      # pretend like there is no such person, to prevent excessive spanking
      last; # this stops the loop but looks like no user is found.
    }

    $found = 1;

    if( -f "$home/.nofinger" ) {
      # paranoid user
      print "User `$user' suffers from paranoia and decided to " .
            "disable finger.\nTry email.\n";
      last;
    }

    print "Thanks for inquiring us about $user.\n$user == $realname.\n";

    #
    # So they want these kewl .project and .plan philez?
    #
    if( -r "$home/.project" ) {
      print "Project:\n";
      &CatFile( "$home/.project" );
    }

    if( -r "$home/.plan" ) {
      print "Plan:\n";
      &CatFile( "$home/.plan" );
    }

    # we are done
    last; 
  }
}

if( !$found ) {
  # really not found or we are lying
  print "User `$user' not found. Try different spelling.\n";
}

# like we are good people and close opened files.
close( PASSWD );

home help back first fref pref prev next nref lref last post