Path: utzoo!attcan!uunet!peregrine!elroy!ames!nrl-cmf!mailrus!cornell!uw-beaver!rice!sun-spots-request
From: steve@brillig.umd.edu (Steve D. Miller)
Newsgroups: comp.sys.sun
Subject: Yet another finger hole
Message-ID: <8811111706.AA05583@brillig.umd.edu>
Date: 22 Nov 88 23:17:58 GMT
Sender: usenet@rice.edu
Reply-To: Sun-Spots@Rice.edu
Organization: Rice University, Houston, Texas
Lines: 28
Approved: Sun-Spots@rice.edu
Original-Date: Fri, 11 Nov 88 12:06:11 EST
X-Sun-Spots-Digest: Volume 7, Issue 22, message 7 of 14

It has been pointed out to me by Tony Nardo at APL (trn@warper.jhuapl.edu)
that there's yet another (smallish) problem with finger under at least
SunOS 3.X.  Basically, one can make a symlink from one's own .plan to some
protected file in another user's directory, then take advantage of the
fact that in.fingerd runs from inetd (which runs as root) to read the
"unreadable" file.

The fix, as I see it, is to run a more reasonable inetd (like the 4.3BSD
one, which allows you to specify the user as which a daemon should run),
or to do:

	# chown nobody /usr/etc/in.fingerd
	# chgrp nobody /usr/etc/in.fingerd
	# chmod 6755 /usr/etc/in.fingerd

This will make fingerd run as nobody.

This problem is likely to exist in any system that doesn't provide a
4.3BSD-style inetd.conf.  Whether or not that includes SunOS 4.X, I don't
know, but I'd like to find out.  [[ See the next message.  --wnl ]]

This is sure the week for the security problems to come out of the
woodwork, isn't it!

	-Steve

Spoken: Steve Miller    Domain: steve@mimsy.umd.edu    UUCP: uunet!mimsy!steve
Phone: +1-301-454-1808  USPS: UMIACS, Univ. of Maryland, College Park, MD 20742