On Fri, Apr 23, 1999 at 07:43:33PM +0200, Felix von Leitner wrote: > Thus spake Eilon Gishri (eilonat_private): > > I found a couple of bugs in ffingerd 1.19 which are related to > > privacy. > > OK. I would be happy if you email me (the author) first before > publishing this on bugtraq. Next time, maybe. I've e-mailed you and Cc-ed BugTraq. As my email includes a fix (A very complicated one I must say :)) I also notified the list. I'm not sure I would have done the same if I couldn't fix it myself. > [ffingerd assumes the user wants to be fingered if his home does not > give public execute access] Huh, It's opened if it's closed ? > This is documented in ffingerd. If you want ffingerd to look into > protected homes, run it as root. I want the machine itself to be protected and not only the users home directory. I consider it a feature when I don't have to run fingerd as root. Please don't consider it as a flame, I do like this utility and am using it. > > ----- > > (aristo)/cc/eilon>finger rootat_private > > [host.domain] > > That user does not want to be fingered > > ----- > > > Hmmm, now for an unknown user. > > > ----- > > (aristo)/cc/eilon>finger root1at_private > > [host.domain] > > That user does not want to be fingered. > > ----- > > > Oops. Notice the dot ('.') at the end of the sentence. A very simple > > and efficient way to find whether the user exists on the remote host > > or not (taking into account the fact that ffingerd has been installed > > on the remote host). > > This has been pointed out to me yesterday. I fixed it today (before I > saw this message, by the way), and announced version 1.20 on Freshmeat > pointing out this fixed problem. Did you see my announcement and then > posted to bugtraq? Nope. I was playing with it on a machine which I would like to see all fingers which are done to it without giving away any "free" information > This is debatable. > If a user wants privacy, he should remove the world readable permission, > not the world executable permission. I disagree. > I will not add this right now but think it over. If anyone wants to > comment on the way to go here, feel free to email me. I would prefer > discussion this in private email than on bugtraq, but if you must, I > will also read bugtraq comments. -- Eilon Gishri eilonat_private Security Consultant Office: +972-3-6406723 Israel Inter University Computation Center Fax: +972-3-6409118 /* On a matter of national security */ Home: +972-3-5078671
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:43:40 PDT