[1811] in SIPB_Linux_Development
Re: update script reminder
daemon@ATHENA.MIT.EDU (mhpower@MIT.EDU)
Tue Sep 23 01:48:55 1997
From: mhpower@MIT.EDU
Date: Tue, 23 Sep 1997 01:46:20 -0400
To: amu@MIT.EDU
Cc: linux-dev@MIT.EDU
In-Reply-To: "[0099] in linux-athena archive"
> ... You
>should also edit /etc/inetd.conf and put a # at the beginning of the
>line that starts "finger". (There's a known hole in the finger
>daemon, but Red Hat hasn't released a version of the appropriate
>package that works with 4.0.0.)
NetKit-B-0.09-8.src.rpm includes a file NetKit-0.09-fingerd.patch
that contains:
--- NetKit-0.09/fingerd/fingerd.c.ewt Mon Sep 22 21:12:30 1997
+++ NetKit-0.09/fingerd/fingerd.c Mon Sep 22 21:12:56 1997
@@ -100,6 +100,8 @@
if ((pw = getpwnam("nobody")) != NULL) {
setgid(pw->pw_gid);
setuid(pw->pw_uid);
+ } else {
+ fatal("getpeername", 1);
}
opterr = 0;
It would apparently be safe to instead recommend that users ensure
that they have a passwd entry for "nobody" if they want to enable
the finger service.
I'm not sure what to make of RedHat's use of fatal("getpeername")
rather than fatal("getpwnam"). Perhaps they didn't bother looking at
the content of the patch, in addition to not bothering to suggest a
more reasonable workaround. Incidentally, today's tftpd patch also has
a typo:
--- NetKit-0.09/tftpd/tftpd.c.security Sun Dec 29 13:42:56 1996
+++ NetKit-0.09/tftpd/tftpd.c Mon Sep 22 21:19:49 1997
[other parts of patch omitted...]
+ else {
+ syslog(LOG_ERR, "user nobody cannot bo found\n");
+ exit(1);
+ }
Matt
