[10338] in bugtraq
Re: Ffingerd privacy issues
daemon@ATHENA.MIT.EDU (Eilon Gishri)
Fri Apr 23 15:11:31 1999
Mail-Followup-To: BUGTRAQ@NETSPACE.ORG
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990423220008.A21345@aristo.tau.ac.il>
Date: Fri, 23 Apr 1999 22:00:08 +0300
Reply-To: Eilon Gishri <eilon@ARISTO.TAU.AC.IL>
From: Eilon Gishri <eilon@ARISTO.TAU.AC.IL>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990423194332.A19414@vim.org>; from Felix von Leitner on Fri,
Apr 23, 1999 at 07:43:33PM +0200
On Fri, Apr 23, 1999 at 07:43:33PM +0200, Felix von Leitner wrote:
> Thus spake Eilon Gishri (eilon@aristo.tau.ac.il):
> > I found a couple of bugs in ffingerd 1.19 which are related to
> > privacy.
>
> OK. I would be happy if you email me (the author) first before
> publishing this on bugtraq. Next time, maybe.
I've e-mailed you and Cc-ed BugTraq. As my email includes a fix (A
very complicated one I must say :)) I also notified the list. I'm
not sure I would have done the same if I couldn't fix it myself.
> [ffingerd assumes the user wants to be fingered if his home does not
> give public execute access]
Huh, It's opened if it's closed ?
> This is documented in ffingerd. If you want ffingerd to look into
> protected homes, run it as root.
I want the machine itself to be protected and not only the users home
directory. I consider it a feature when I don't have to run fingerd
as root. Please don't consider it as a flame, I do like this utility
and am using it.
> > -----
> > (aristo)/cc/eilon>finger root@host.domain
> > [host.domain]
> > That user does not want to be fingered
> > -----
>
> > Hmmm, now for an unknown user.
>
> > -----
> > (aristo)/cc/eilon>finger root1@host.domain
> > [host.domain]
> > That user does not want to be fingered.
> > -----
>
> > Oops. Notice the dot ('.') at the end of the sentence. A very simple
> > and efficient way to find whether the user exists on the remote host
> > or not (taking into account the fact that ffingerd has been installed
> > on the remote host).
>
> This has been pointed out to me yesterday. I fixed it today (before I
> saw this message, by the way), and announced version 1.20 on Freshmeat
> pointing out this fixed problem. Did you see my announcement and then
> posted to bugtraq?
Nope. I was playing with it on a machine which I would like to see all
fingers which are done to it without giving away any "free" information
> This is debatable.
> If a user wants privacy, he should remove the world readable permission,
> not the world executable permission.
I disagree.
> I will not add this right now but think it over. If anyone wants to
> comment on the way to go here, feel free to email me. I would prefer
> discussion this in private email than on bugtraq, but if you must, I
> will also read bugtraq comments.
--
Eilon Gishri eilon@aristo.tau.ac.il
Security Consultant Office: +972-3-6406723
Israel Inter University Computation Center Fax: +972-3-6409118
/* On a matter of national security */ Home: +972-3-5078671
