| raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D278827 Bug ID: 278827 Summary: fingerd(8): Avoid account leakage due to username ambiguity (RFC 1288) Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: john@jmarshall.id.au Created attachment 250500 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D250500&action= =3Dedit [PATCH] Add -m option to fingerd.c, fingerd.8, inetd.conf PATCH ----- The attached patch adds a new option to fingerd(8) in the following files. Given the -m option, fingerd(8) will pass the -m option to finger(1) to ens= ure strict username matching to avoid leaking details of multiple accounts aris= ing from partial matches on username and GECOS fields. This provides the RECOMMENDED administrator option mentioned in RFC 1288. - fingerd.c - fingerd.8 - inetd.conf RFC 1288 -------- 2.5.3. {U} ambiguity Allowable "names" in the command line MUST include "user names" or "login names" as defined by the system. If a name is ambiguous, the system administrator SHOULD be allowed to choose whether or not all possible derivations should be returned in some fashion (per section 3.2.6). STYLE ----- I wanted to re-work fingerd.8 to re-order and format options as per style(9= ), but that same document seems to discourage 'stylistic changes'. I'm happy t= o do the work if that's permissible. SEE ALSO -------- The patch included with bug #39463 appears to include this functionality but has been left to rot. I'm hoping that a single-issue patch might get this through. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>