[10337] in bugtraq
Re: Ffingerd privacy issues
daemon@ATHENA.MIT.EDU (Felix von Leitner)
Fri Apr 23 14:45:44 1999
Mail-Followup-To: BUGTRAQ@NETSPACE.ORG
Mime-Version: 1.0
Content-Type: multipart/signed; boundary=RnlQjJ0d97Da+TV1; micalg=pgp-md5;
protocol="application/pgp-signature"
Message-Id: <19990423194332.A19414@vim.org>
Date: Fri, 23 Apr 1999 19:43:33 +0200
Reply-To: Felix von Leitner <leitner-bugtraq@MATH.FU-BERLIN.DE>
From: Felix von Leitner <leitner-bugtraq@MATH.FU-BERLIN.DE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990423192612.A20086@aristo.tau.ac.il>; from Eilon Gishri on
Fri, Apr 23, 1999 at 07:26:13PM +0300
--RnlQjJ0d97Da+TV1
Content-Type: text/plain; charset=us-ascii
Thus spake Eilon Gishri (eilon@aristo.tau.ac.il):
> I found a couple of bugs in ffingerd 1.19 which are related to
> privacy.
OK. I would be happy if you email me (the author) first before
publishing this on bugtraq. Next time, maybe.
[ffingerd assumes the user wants to be fingered if his home does not
give public execute access]
This is documented in ffingerd. If you want ffingerd to look into
protected homes, run it as root.
> -----
> (aristo)/cc/eilon>finger root@host.domain
> [host.domain]
> That user does not want to be fingered
> -----
> Hmmm, now for an unknown user.
> -----
> (aristo)/cc/eilon>finger root1@host.domain
> [host.domain]
> That user does not want to be fingered.
> -----
> Oops. Notice the dot ('.') at the end of the sentence. A very simple
> and efficient way to find whether the user exists on the remote host
> or not (taking into account the fact that ffingerd has been installed
> on the remote host).
This has been pointed out to me yesterday. I fixed it today (before I
saw this message, by the way), and announced version 1.20 on Freshmeat
pointing out this fixed problem. Did you see my announcement and then
posted to bugtraq?
> --- ffingerd.c.old Thu Feb 18 12:50:36 1999
> +++ ffingerd.c Fri Apr 23 18:48:54 1999
> @@ -134,7 +134,7 @@
> setgid(pwd->pw_gid);
> setuid(pwd->pw_uid);
> sprintf(filename,"%.200s/.nofinger",pwd->pw_dir);
> - if (lstat(filename,&stat_buf)) {
> + if((lstat(filename,&stat_buf) == -1) && (errno == ENOENT)) {
> #ifndef NO_SYSLOG
> #ifdef FASCIST_LOGGING
> char message[512];
This is debatable.
If a user wants privacy, he should remove the world readable permission,
not the world executable permission.
I will not add this right now but think it over. If anyone wants to
comment on the way to go here, feel free to email me. I would prefer
discussion this in private email than on bugtraq, but if you must, I
will also read bugtraq comments.
> @@ -154,7 +154,7 @@
> dump_file(filename,"Public key:","No public key.");
> } else {
> char message[512];
> - puts("That user does not want to be fingered");
> + puts("That user does not want to be fingered.");
> #ifndef NO_SYSLOG
> sprintf(message,"attempt to finger \"%.200s\" from %.200s\n",pwd->pw_name,remote);
> syslog(LOG_FACILITY,"%s",message);
This has already been fixed.
Felix
--RnlQjJ0d97Da+TV1
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iQCVAwUBNyCxQx/Da1Yoy+f1AQFvLgQAi9C+FNkDsr9rKBVlPd92BBQa3/Zm5b3b
GXF8djbQV3F1wWfMKSp7yQiBsF9RiTkVLYN19pn5VGWZ1jTtkGQLv8/9KICjd5v0
FQpjkaCm8tKmW0fKbQJxKDpP2Ij4UlDg3HHs+mU8k3JbU8614ke0iYuZHKbvzJKS
kOzb9WC8taY=
=NhDF
-----END PGP SIGNATURE-----
--RnlQjJ0d97Da+TV1--
