Path: utzoo!attcan!uunet!peregrine!elroy!ames!nrl-cmf!mailrus!cornell!uw-beaver!rice!sun-spots-request
From: natinst!brian@cs.utexas.edu (Brian H. Powell)
Newsgroups: comp.sys.sun
Subject: Yet another finger hole
Message-ID: <8811112032.AA22990@natinst.uucp>
Date: 22 Nov 88 23:38:04 GMT
Sender: usenet@rice.edu
Reply-To: Sun-Spots@Rice.edu
Organization: Rice University, Houston, Texas
Lines: 20
Approved: Sun-Spots@rice.edu
Original-Date: Fri, 11 Nov 88 14:32:22 CST
X-Sun-Spots-Digest: Volume 7, Issue 22, message 8 of 14

As distributed, SunOS 4.0 has the same bug.  However, since SunOS 4.0 uses
a 4.3BSD-style inetd.conf, you can easily fix it.

     Just edit /etc/inetd.conf, and change the line that says:

finger	stream  tcp	nowait  root	/usr/etc/in.fingerd	in.fingerd

     to say

finger	stream  tcp	nowait  nobody  /usr/etc/in.fingerd	in.fingerd

This will cause in.fingerd to run as nobody instead of root.  Make sure
you've got a nobody in your passwd file.  The fix mentioned above (making
in.fingerd owned, grouped, setuid and setgid to nobody/nogroup) also
works.

Brian H. Powell					National Instruments Corp.
	brian@natinst.uucp			12109 Technology Blvd.
	cs.utexas.edu!natinst!brian		Austin, Texas 78727-6204
	AppleLink:D0351				(512) 250-9119 x832