Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!uwm.edu!rpi!sci.ccny.cuny.edu!phri!cmcl2!kramden.acf.nyu.edu!brnstnd
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
Newsgroups: comp.unix.wizards
Subject: Re: special files as .plans?
Message-ID: <11414:Aug2502:56:4090@kramden.acf.nyu.edu>
Date: 25 Aug 90 02:56:40 GMT
References: <1990Aug24.224727.26823@boingo.med.jhu.edu>
Distribution: usa
Organization: IR
Lines: 31

In article <1990Aug24.224727.26823@boingo.med.jhu.edu> dave@boingo.med.jhu.edu (David Heath) writes:
  [ made named pipe ~/.plan, had finger daemon writing plans to it ]
  [ sysadmin asked about it ]
> so I sent him the 
> source and explained how it worked. The next day, I got a message that
> said, in part, "As I'm sure you have surmised, you have discovered a MAJOR
> security hole."
  [ said no, but sysadmin modified finger anyway to ignore special files ]
  [ ultrix 4.0's finger also ignores special .plan and .project ]
> "Is this really a security hole?"

No.

There are three problems with finger that can lead to security holes:

1. Many versions of finger don't convert control characters to printable
forms. This is the client's responsibility in case of a network finger.
Anyway, .plan and .project can contain dangerous control sequences.

2. There is no easy way for a sysadmin or user to restrict the flow of
information to the network. See, e.g., some of Steve Bellovin's articles
for clear explanations of why this is a problem.

3. The network finger daemon is not careful to flush output before
reading .plan and .project. Hence a user can stop all finger information
from going to the outside by setting up ~/.plan as a named pipe without
a writer. Note: As long as #2 is not corrected, this is a feature, not a
bug! The minor inconvenience of hanging fingerd is irrelevant compared
to the dangers of releasing too much information.

---Dan