Date: Wed, 8 Aug 2001 17:46:32 -0500 From: Alfred Perlstein <bright@mu.org> To: David G Andersen <danderse@cs.utah.edu> Cc: Yar Tikhiy <yar@FreeBSD.ORG>, security@FreeBSD.ORG Subject: Re: finger/fingerd & home directory permissions Message-ID: <20010808174632.J85642@elvis.mu.org> In-Reply-To: <200108082241.f78Mfcr11144@faith.cs.utah.edu>; from danderse@cs.utah.edu on Wed, Aug 08, 2001 at 04:41:38PM -0600 References: <20010808173947.I85642@elvis.mu.org> <200108082241.f78Mfcr11144@faith.cs.utah.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
* David G Andersen <danderse@cs.utah.edu> [010808 17:41] wrote: > Lo and behold, Alfred Perlstein once said: > > > > > > a) Add a command-line option to finger(1) and fingerd(8) telling > > > > them not to reveal user information if the user's homedir is > > > > protected. > > > > > > > > b) Similar to a), but hide such users by default. > > > > > > > > c) Don't bother at all :-) > > > > > > > > Personally, I'd prefer b) since it's most secure and seems to break > > > > nothing. Do I overlook any complications? > > > > > > Yes - it breaks the semantics of the existing fingerds that > > > people are used to. It's a gratuitious change with little benefit > > > that would simply confuse people who have a reasonable expectation > > > about what the default behavior of 'finger' should be. Don't do (b). > > > > Actually, I'd prefer (b) if it was a command line option. > > > > ie, not the default. > > And this differs from suggestion (a) in exactly what way? :) Er, oops, damn caffine. :) -- -Alfred Perlstein [alfred@freebsd.org] Ok, who wrote this damn function called '??'? And why do my programs keep crashing in it? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010808174632.J85642>