Date: Tue, 3 Oct 2000 09:30:03 +0200 From: The Unicorn <unicorn@blackhats.org> To: Joseph Scott <joseph.scott@owp.csus.edu> Cc: Brian Somers <brian@FreeBSD.ORG>, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: cvs commit: src/usr.bin/finger finger.c Message-ID: <20001003093003.F89835@unicorn.blackhats.org> In-Reply-To: <39D92E08.E00CF2E4@owp.csus.edu>; from joseph.scott@owp.csus.edu on Mon, Oct 02, 2000 at 05:53:28PM -0700 References: <200010022227.PAA62603@freefall.freebsd.org> <39D92E08.E00CF2E4@owp.csus.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 02 Oct 2000, Joseph Scott supposedly wrote:
>
> Brian Somers wrote:
> >
> > brian 2000/10/02 15:27:34 PDT
> >
> > Modified files:
> > usr.bin/finger finger.c
> > Log:
> > Don't allow finger /somefile, only allow filname expansions from
> > inside /etc/finger.conf
>
> This is one of those things that makes me go ack! So I started
> trying on a couple of my machines here. I tried it first against my
> own notebook running 4.1. It worked just as expected when run up
> against /etc/passwd@localhost. It did not work against a 3.4 machine
> from notebook though. I haven't looked to much closer at that part,
> but it seems to point to this "feature" being added somewhere between
> Jan 27 and Sep 14 (about the last world builds for these two
> machines).
I found the following:
[root @ me]:.../home/unicorn(2435)# finger /etc/passwd@localhost
[localhost]
finger: /etc/passwd: no such user
[root @ me]:.../home/unicorn(2436)# uname -a
FreeBSD me.xxx.org 4.0-STABLE FreeBSD 4.0-STABLE #0: Fri Jun 2 02:42:57 CEST 2000
root@me.xxx.org:/usr/src/sys/compile/ME i386
> Another thing I've noticed, it looks like it only works against world
> readable files. So some couldn't do a finger
> /etc/master.passwd@goodguysrus.com and expect something back. There
> are of course plenty of world readable files on a system that I
> wouldn't really want everyone and their fish to look at :-(
>
> I'm not a fan of finger in general, turning off inetd entirely is
> part of a normal install for me.
>
> --
> Joseph Scott
> joseph.scott@owp.csus.edu
> The Office Of Water Programs - CSU Sacramento
--- End of Quoted Text ---
Ciao,
Unicorn.
--
======= _ __,;;;/ TimeWaster ================================================
,;( )_, )~\| A Truly Wise Man Never Plays PGP: 64 07 5D 4C 3F 81 22 73
;; // `--; Leapfrog With A Unicorn... 52 9D 87 08 51 AA 35 F0
==='= ;\ = | ==== Youth is Not a Time in Life, It is a State of Mind! =======
Echelon Teasers: NSA CIA FBI Mossad BVD MI5 Cocaine Cuba Revolution Espionage
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001003093003.F89835>