On a Solaris 8, i386 machine, I did the following: $ ls -al drwxr-xr-x 4 j other 512 May 28, 14:12 . drwxr-xr-x 5 root root 512 May 28, 14:10 .. lrwxrwxrwx 1 j other 6 May 28, 14:12 .plan -> myplan -rw------- 1 nobody nobody 17 May 28, 14:12 myplan $ finger -l j@localhost [localhost] Login name: j Directory name: /export/home/j Shell: /bin/sh Last login Mon May 28, 14:12 on console from :0 No unread mail. No plan. After I changed the mod of myplan to world-readable, finger gave me $ finger -l j@localhost [localhost] Login name: j Directory name: /export/home/j Shell: /bin/sh Last login Mon May 28, 14:12 on console from :0 No unread mail. Plan: This is my plan. So I'd say in.fingerd is not vulnerable for the symlink attack you describe. J. Bol Lukasz Luzar wrote: > Hello, > > Ok, the example wasn't good. > It was a long day for me, thus, please forgive me that slip-up. > > The sym-links attack is very useful when you want to read > files that are readable only by unprivileged user. > > On example, many httpd servers works with the same privilages, > it means that you can read any CGI temporary file, and other > files readable only by CGI scripts. > > I think about a case where a CGI script saves some important > information in a temporary file, like PHP do with the sessions: > > -rw------- 1 nobody nobody 329 May 14 12:16 /tmp/sess_0cd156a633 > > When you have installed in.fingerd, and the in.fingerd is vulnerable, > all local users are able to read the information from the files. > > There are few other examples. > > -- > Lukasz Luzar > http://Developers.of.PL/ > Crede quod habes, et habes
This archive was generated by hypermail 2b30 : Mon May 28 2001 - 11:22:45 PDT