OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: cvs commit: src/usr.bin/finger finger.c
From: Joseph Scott (joseph.scottowp.csus.edu)
Date: Mon Oct 02 2000 - 19:53:28 CDT

Brian Somers wrote:
>
> brian 2000/10/02 15:27:34 PDT
>
> Modified files:
> usr.bin/finger finger.c
> Log:
> Don't allow finger /somefile, only allow filname expansions from
> inside /etc/finger.conf

        This is one of those things that makes me go ack! So I started
trying on a couple of my machines here. I tried it first against my
own notebook running 4.1. It worked just as expected when run up
against /etc/passwdlocalhost. It did not work against a 3.4 machine
from notebook though. I haven't looked to much closer at that part,
but it seems to point to this "feature" being added somewhere between
Jan 27 and Sep 14 (about the last world builds for these two
machines).

        Another thing I've noticed, it looks like it only works against world
readable files. So some couldn't do a finger
/etc/master.passwdgoodguysrus.com and expect something back. There
are of course plenty of world readable files on a system that I
wouldn't really want everyone and their fish to look at :-(

        I'm not a fan of finger in general, turning off inetd entirely is
part of a normal install for me. 

-- 
Joseph Scott
joseph.scottowp.csus.edu
The Office Of Water Programs - CSU Sacramento

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message