Yet another finger hole
Piete Brooks
pb%computer-lab.cambridge.ac.uk at nss.cs.ucl.ac.uk
Sun Dec 4 09:22:46 AEST 1988
> The fix, as I see it, is to run a more reasonable inetd (like the 4.3BSD
> one, which allows you to specify the user as which a daemon should run),
> or to do:
> # chown nobody /usr/etc/in.fingerd
> # chgrp nobody /usr/etc/in.fingerd
> # chmod 6755 /usr/etc/in.fingerd
> This will make fingerd run as nobody.
********** DO NOT DO THIS without thinking VERY carefully ! **********
As I see it this allows anyone who accesses you machine as "nobody" (e.g.
root on an untrusted machine accessable to random undergrads) to gain root
access to your machine !
If they can mount your /usr/etc writable, then all they have to do is to
chmod in.fingerd (if people really DID set it writable by "nobody") so
that you can write it, insert your favourite program, chmod it to be NOT
setuid, then run a remote finger !
May I suggest moving /usr/etc/in.fingerd to (e.g.) /usr/etc/In.fingerd and
replacing it with a script:
#! /bin/sh
exec su nobody -c /usr/etc/In.fingerd
[ exec if you don't trust your sh to exec the last command of a script ]
More information about the Comp.sys.sun
mailing list