[20757] in bugtraq
Re: in.fingerd follows sym-links on Solaris 8
daemon@ATHENA.MIT.EDU (Matthew R. Potter)
Thu May 24 15:41:26 2001
Message-Id: <3.0.6.32.20010524134718.00894100@192.168.10.140>
Date: Thu, 24 May 2001 13:47:18 -0400
To: <bugtraq@securityfocus.com>
From: "Matthew R. Potter" <mpotter@atpco.com>
In-Reply-To: <Pine.LNX.4.33.0105241753470.11377-100000@unix.developers.o
f.pl>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
> I believe it could be dangeours in some cases, but people from
> Sun says that they won't repair the in.fingerd because:
Well finger is enabled by default and it runs as nobody... so you can't
link to /etc/shadow...
finger stream tcp6 nowait nobody /usr/sbin/in.fingerd in.fingerd
I think finger even still bounces.. @host@host...
> "There are may be legitimate reasons for finger to follow symlinks. If
> finger is considered a security issue, it can be disabled. (..)"
I think it's an issue of, what is the point of fixing it?
>
> What do you think ?
I won't sleep at night over this one.
Matt
