Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!utgpu!water!watmath!clyde!rutgers!husc6!necntc!ames!sdcsvax!ucbvax!rca.COM!EVERHART%ARISIA
From: EVERHART%ARISIA@rca.COM.UUCP
Newsgroups: comp.os.vms
Subject: Finger
Message-ID: <8710020713.AA05271@ucbvax.Berkeley.EDU>
Date: Wed, 30-Sep-87 17:23:00 EDT
Article-I.D.: ucbvax.8710020713.AA05271
Posted: Wed Sep 30 17:23:00 1987
Date-Received: Sat, 3-Oct-87 08:37:29 EDT
Sender: daemon@ucbvax.BERKELEY.EDU
Distribution: world
Organization: The ARPA Internet
Lines: 26

As a result of the security bug found in Finger, I proposed a few weeks
ago a temporary patch to prevent Finger from reading FINGER.PLN with
privilege.
	Since then, Richard Garland has sent me his latest version,
which I have merged with code from several other sources and which
I will place on the next VAX SIG tape. Code I've just tested now checks
the owner UIC of FINGER.PLN against the UIC found in the UAF entry
for an individual being fingered. If the two are equal, Finger uses
privilege to open FINGER.PLN and read it. Otherwise Finger attempts
an open without privilege (in case the file is owned by an identifier
but is nevertheless world readable). Thus, Finger will not display any
file not owned by the individual being fingered, preventing it from being
fooled by directory entries to files owned by others.
	Unfortunately my site is a mail only site, and 400K bytes
or so of code is a lot to mail. I'm willing to send it to a FEW sites
who will then advertise to this list they can redistribute it. Otherwise
wait for the tape, please, or ask someone near you on the GE internal
DECnet (if there is anyone).
	I'd also like a test site for the LAT terminal locating code. I have
no LATs here, but have pasted in some (commented out) code to give LAT
server and port IDs (thanks to some code off the Internet; thanks, folks)
and would like to find a brave soul to try it out (and maybe fix it if
broken...)
	Thanks, all...
	Glenn Everhart
Everhart%Arisia.decnet@ge-crd.arpa