On Mon, 13 Jul 1998, Michael H. Warfield wrote: > I would also like to remark about one thing. Solar Designer > quoted one possible action from the advisory. That one point was a > suggestion made by my Sun contacts. It was NOT our recommendation as > the action to be taken. My PERSONAL recommendation is to disable finger > if at all possible. It provides way too much information about accounts and actually, finger is only top of ice mountain, what it will do: setpwent() while( getpwent() ) {} endpwent() nothing more. but, if this is such simple, nothing will prevent users INSIDE to write this; easy and simple way to block sysadmins while cleaning trails or whatever. Actually, there are not only password tables around - there are tables for services, mail aliases etc. After all, calling NIS functions directly is not such big mystery... just another way to generate load for server- if there are netgroups used for some kind of access control - tcpd wrapper, NFS access etc... so, even if You can survive one type of attack - netgroups are not too big etc, combining different types may be just enough to bring down system... toomas soome Tartu University, Estonia -- Gee, I feel kind of LIGHT in the head now, knowing I can't make my satellite dish PAYMENTS!
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:04:07 PDT