[20786] in bugtraq
Re: in.fingerd follows sym-links on Solaris 8
daemon@ATHENA.MIT.EDU (Darren Moffat)
Mon May 28 16:39:51 2001
Message-Id: <200105251955.f4PJt0W995850@jurassic.eng.sun.com>
Date: Fri, 25 May 2001 12:54:33 -0700 (PDT)
From: Darren Moffat <Darren.Moffat@eng.sun.com>
Reply-To: Darren Moffat <Darren.Moffat@eng.sun.com>
To: bugtraq@securityfocus.com, lluzar@developers.of.pl
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: /8sFbKrnil95yn4xYUSSPA==
> Ok, the example wasn't good.
> It was a long day for me, thus, please forgive me that slip-up.
>
This is certainly a much better example, but:
> On example, many httpd servers works with the same privilages,
> it means that you can read any CGI temporary file, and other
> files readable only by CGI scripts.
httpd servers shouldn't be running as user nobody they should be
running as user www or something similar.
> I think about a case where a CGI script saves some important
> information in a temporary file, like PHP do with the sessions:
>
> -rw------- 1 nobody nobody 329 May 14 12:16 /tmp/sess_0cd156a633
The bug is in one of PHP/CGI/httpd NOT in in.fingerd.
nobody has a very special meaning, it is the user id that root gets mapped
to over NFS. It was created for that reason and that reason alone, it
is NOT a general purpose account to run daemons or cgi or anything else
under. If applications need to run as a user other than root then they
should have a user for that application, eg Oracle DB server runs as
the user oracle.
in.fingerd is a special case and it is running as nobody explicitly because
there should be no sensitive files that are owned by the nobody user. If
you have a system where there are local files that are owned by nobody
then you have a configuration error or a bug in another application but it
isn't in.fingerd's problem.
--
Darren J Moffat
