Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!uakari.primate.wisc.edu!aplcen!boingo.med.jhu.edu!dave
From: dave@boingo.med.jhu.edu (David Heath)
Newsgroups: comp.unix.wizards
Subject: special files as .plans?
Message-ID: <1990Aug24.224727.26823@boingo.med.jhu.edu>
Date: 24 Aug 90 22:47:27 GMT
Distribution: comp
Organization: The Johns Hopkins Hospital-Body CT Imaging Lab
Lines: 23

Recently, I wrote a program that creates a named pipe $HOME/.plan
and writes various plans to it when I am fingered. This program was
written under ultrix. My sysadm asked me about it (and how to use
named pipes in general) a couple of weeks later, so I sent him the 
source and explained how it worked. The next day, I got a message that
said, in part, "As I'm sure you have surmised, you have discovered a MAJOR
security hole."

After talking with him about it, I realized that he did not understand
how the program worked. I tried again to explain it, and told him I
was convinced that it was not a security hole. Nevertheless, he modified
the finger program to ignore .plan and .project when they were special
files.

I would be tempted to dismiss his attitude as paranoia, but he pointed
out that in ultrix 4.0, the supplied finger has the same behavior (i.e.,
ignores special files). So, what I'm wondering is: 
"Is this really a security hole?"


Thanks,
--
dave heath                                     heath@crabcake.cs.jhu.edu