Date: Thu, 9 Aug 2001 02:08:31 +0400 From: Yar Tikhiy <yar@freebsd.org> To: hackers@freebsd.org, security@freebsd.org Subject: finger/fingerd & home directory permissions Message-ID: <20010809020831.B44660@comp.chem.msu.su>
next in thread | raw e-mail | index | archive | help
Hello, [Once I've sent this to -audit, but then was pointed] [that it wasn't the right list for such a discussion] Currently, finger(1) reveals user information if the user has created the ``.nofinger'' file, but his home directory is unreadable for finger(1). In the case of local access, it's no problem, since anyone may read /etc/passwd directly. OTOH, letting remote folks peek at user information even if the user wants to hide himself is a bad thing. The issue I'd like to submit to discussion is what way to choose: a) Add a command-line option to finger(1) and fingerd(8) telling them not to reveal user information if the user's homedir is protected. b) Similar to a), but hide such users by default. c) Don't bother at all :-) Personally, I'd prefer b) since it's most secure and seems to break nothing. Do I overlook any complications? -- Yar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010809020831.B44660>