On Mon, 13 Jul 1998, Michael H. Warfield wrote:
> I would also like to remark about one thing. Solar Designer
> quoted one possible action from the advisory. That one point was a
> suggestion made by my Sun contacts. It was NOT our recommendation as
> the action to be taken. My PERSONAL recommendation is to disable finger
> if at all possible. It provides way too much information about accounts and
actually, finger is only top of ice mountain, what it will do:
setpwent()
while( getpwent() ) {}
endpwent()
nothing more. but, if this is such simple, nothing will prevent users
INSIDE to write this; easy and simple way to block sysadmins while
cleaning trails or whatever. Actually, there are not only password tables
around - there are tables for services, mail aliases etc. After all,
calling NIS functions directly is not such big mystery...
just another way to generate load for server- if there are netgroups used
for some kind of access control - tcpd wrapper, NFS access etc...
so, even if You can survive one type of attack - netgroups are not too big
etc, combining different types may be just enough to bring down system...
toomas soome
Tartu University, Estonia
--
Gee, I feel kind of LIGHT in the head now, knowing I can't make my
satellite dish PAYMENTS!
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:04:07 PDT