This is an old issue that has not be resolved. Gnu finger version 1.37 which is downloadable from metalab has two old security problems that date back to 1995. Here are some of the original posts. 199503181615.RAA03894at_private-clausthal.de">http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-03-15&thread=199503181615.RAA03894at_private-clausthal.de Both problems have to do with dropping permissions improperly. 1) If you allow support for users to use a .fingerrc, a program that is run when you are fingerred. That program gets run with group root privileges. This is because the author drops uid before gid and thus doesn't have power to drop gid. 2) If you symlink your .plan, .forward, or .project to a file that you want, you can read any file on the system when you finger yourself, This is because the author does not drop permissions at all before reading those files. There are 3 ways to fix this. 1) Simply run the daemon as nobody out of inetd.conf. This works well but doesn't allow the .fingerrc to be run with the users permissions as the author intended. 2) The erroneous code is in finger-1.37/lib/site/userinfo.c, I have included the diff below which I believe fixes this. 251d250 < setgid (user->pw_gid); 252a252 > setgid (user->pw_gid); 478,482c478 < < /* Set uid/gid */ < setgid (entry->pw_gid); < setuid (entry->pw_uid); < --- > 3) Don't run gnu finger. Drew ----- CS/Physics Student at the University of Northern Iowa
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:52:54 PDT