[1187] in linux-security and linux-alert archive
Re: [linux-security] Finger Doubt
daemon@ATHENA.MIT.EDU (Igor Chudov @ home)
Wed Oct 2 06:26:06 1996
To: richard@hekkihek.hacom.nl
Date: Tue, 1 Oct 1996 18:54:10 -0500 (CDT)
Cc: linux-security@tarsier.cv.nrao.edu
Reply-To: ichudov@algebra.com (Igor Chudov)
In-Reply-To: <526ss0$26q@zeus.hekkihek.hacom.nl> from "Richard Huveneers" at Sep 23, 96 08:44:48 pm
From: ichudov@algebra.com (Igor Chudov @ home)
Here's my fingerd, it does not give any dynamic information about
users and lets them customize what they want to be shown (see comments).
It also lets sysadmin customize the site banner.
let me know if you like it.
#!/usr/local/bin/perl
#
# This is a replacement for my previous accept_finger SHELL script.
#
# This script shows only user name and .plan and .project. No
# security-sensitive information such as shells, dirs, login times, etc
# is shown.
#
# This perl script has the following advantages:
# 1) it is shorter than the shell script
# 2) it works MUCH faster
# 3) it is more secure
#########################################################################
#
# Note that users can customize information about them in three ways:
# 1) Create file $HOME/.nosuchuser. This will make the daemon pretend
# like these users do not exist. Helps against spanking.
#
# 2) Create file $HOME/.nofinger. This will make the daemon to refuse
# giving out ANY information about you. However, it will give
# an indication that a user with your name exists on the system.
# (see item 1)).
#
# 3) Create file /etc/issue.finger with some banner about your site
#
# You can also customize logging (see below).
#
# If you do these customizations, MAKE SURE USERS' DIRECTORYS ARE WORLD
# EXECUTABLE!!!!
##########################################################################
#
# This is a FREE software and comes with no warranty. See GNU Public
# License for details. ichudov@algebra.com
##########################################################################
#
############################################################### customization
# define logger args
$NeedLogger = 1; # set to 0 if you do not want logging
@LoggerArgs = ( "/usr/bin/logger", "-p", "local3.notice" );
#
######################################################################
# get username from the socket
$user = <STDIN>;
chop $user; chop $user; # \n\r in the query, need to chop twice.
$user = substr( $user, 0, 15 ); # to protect against logger bugs
#
###################################################################### log
# Log the event
@Logger = (@LoggerArgs, "User $user has been fingered" );
if( $NeedLogger ) {
$child = fork;
if( $child == 0 ) { # in child
exec @Logger; # exec should be secure I think.
}
}
$found = 0;
###################################################################### CatFile
# outputs file to stdout
sub CatFile {
local( $fname ) = pop( @_ );
open( FILE, $fname );
while( <FILE> ) {
print;
}
close( $fname );
}
####################################################### print nice banner
if( -r "/etc/issue.finger" ) {
&CatFile( "/etc/issue.finger" );
} else {
print "* * * * * * * * * * * Privacy-Enhanced finger server " .
"* * * * * * * * * * *\n";
print "==========================================" .
"================================\n";
}
######################################################################
# read user database. If you work on BSD types of Unixes, you
# may want to customise operator marked by !!!!
open( PASSWD, "/etc/passwd" );
while( <PASSWD> ) {
# you may need to customize this
($name, $pw, $uid, $gid, $realname, $home, $shell) = split( /:/ ); # !!!!
if( $name eq $user ) {
# OK, user found. now, what to do?
if( -f "$home/.nosuchuser" ) {
# pretend like there is no such person, to prevent excessive spanking
last; # this stops the loop but looks like no user is found.
}
$found = 1;
if( -f "$home/.nofinger" ) {
# paranoid user
print "User `$user' suffers from paranoia and decided to " .
"disable finger.\nTry email.\n";
last;
}
print "Thanks for inquiring us about $user.\n$user == $realname.\n";
#
# So they want these kewl .project and .plan philez?
#
if( -r "$home/.project" ) {
print "Project:\n";
&CatFile( "$home/.project" );
}
if( -r "$home/.plan" ) {
print "Plan:\n";
&CatFile( "$home/.plan" );
}
# we are done
last;
}
}
if( !$found ) {
# really not found or we are lying
print "User `$user' not found. Try different spelling.\n";
}
# like we are good people and close opened files.
close( PASSWD );