From owner-freebsd-bugs  Sat Oct 14 12:47:18 1995
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id MAA16359
          for bugs-outgoing; Sat, 14 Oct 1995 12:47:18 -0700
Received: from xkis.nnov.su (root@gw04.kis.nnov.su [194.87.66.4])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id MAA16351
          for <freebsd-bugs@freebsd.org>; Sat, 14 Oct 1995 12:47:02 -0700
Received: by xkis.nnov.su id WAA22224;
  (8.6.8/D) Sat, 14 Oct 1995 22:28:13 +0300
From: dv@xkis.nnov.su (Dmitry Valdov)
Message-Id: <199510141928.WAA22224@xkis.nnov.su>
Subject: secure finger is not enought secure
To: freebsd-bugs@freebsd.org
Date: Sat, 14 Oct 1995 22:28:12 +0300 (MSK)
X-Mailer: ELM [version 2.4 PL24]
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 8bit
Content-Length: 768       
Sender: owner-bugs@freebsd.org
Precedence: bulk

> 
> > But i can finger this host anyway (without specifying username):
> > 
> > --
> > 
> > merahq: {2} telnet localhost finger
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> 
> This is an entirely different matter.  It's not the finger service as
> invoked via inetd(8).

No. It is finger service, invoked via inetd (because i'm TELNETTING to
localhost). localhost is just for an example.

>  If you've already got access to the local
> machine, it doesn't make sense if you couldn't run finger locally.
> 

ok. Try to telnet <any_freebsd_host> finger_port_number
after connect, type '-l' (without quotes). And u'll see finger information 
of all users currently logged in.

Dmitry.

PS. I think, it's a bug in FreeBSD's finger.