Yet another finger hole
Steve D. Miller
steve at brillig.umd.edu
Wed Nov 23 09:17:58 AEST 1988
It has been pointed out to me by Tony Nardo at APL (trn at warper.jhuapl.edu)
that there's yet another (smallish) problem with finger under at least
SunOS 3.X. Basically, one can make a symlink from one's own .plan to some
protected file in another user's directory, then take advantage of the
fact that in.fingerd runs from inetd (which runs as root) to read the
"unreadable" file.
The fix, as I see it, is to run a more reasonable inetd (like the 4.3BSD
one, which allows you to specify the user as which a daemon should run),
or to do:
# chown nobody /usr/etc/in.fingerd
# chgrp nobody /usr/etc/in.fingerd
# chmod 6755 /usr/etc/in.fingerd
This will make fingerd run as nobody.
This problem is likely to exist in any system that doesn't provide a
4.3BSD-style inetd.conf. Whether or not that includes SunOS 4.X, I don't
know, but I'd like to find out. [[ See the next message. --wnl ]]
This is sure the week for the security problems to come out of the
woodwork, isn't it!
-Steve
Spoken: Steve Miller Domain: steve at mimsy.umd.edu UUCP: uunet!mimsy!steve
Phone: +1-301-454-1808 USPS: UMIACS, Univ. of Maryland, College Park, MD 20742
More information about the Comp.sys.sun
mailing list