Path: utzoo!utgpu!watmath!clyde!att!rutgers!ukma!mailrus!cornell!uw-beaver!rice!sun-spots-request From: pb%computer-lab.cambridge.ac.uk@nss.cs.ucl.ac.uk (Piete Brooks) Newsgroups: comp.sys.sun Subject: Re: Yet another finger hole Message-ID: Date: 3 Dec 88 23:22:46 GMT Sender: usenet@rice.edu Organization: Rice University, Houston, Texas Lines: 26 Approved: Sun-Spots@rice.edu Original-Date: Wed, 23 Nov 88 9:10 GMT X-Sun-Spots-Digest: Volume 7, Issue 36, message 4 of 12 X-Issue-Reference: v7n22 > The fix, as I see it, is to run a more reasonable inetd (like the 4.3BSD > one, which allows you to specify the user as which a daemon should run), > or to do: > # chown nobody /usr/etc/in.fingerd > # chgrp nobody /usr/etc/in.fingerd > # chmod 6755 /usr/etc/in.fingerd > This will make fingerd run as nobody. ********** DO NOT DO THIS without thinking VERY carefully ! ********** As I see it this allows anyone who accesses you machine as "nobody" (e.g. root on an untrusted machine accessable to random undergrads) to gain root access to your machine ! If they can mount your /usr/etc writable, then all they have to do is to chmod in.fingerd (if people really DID set it writable by "nobody") so that you can write it, insert your favourite program, chmod it to be NOT setuid, then run a remote finger ! May I suggest moving /usr/etc/in.fingerd to (e.g.) /usr/etc/In.fingerd and replacing it with a script: #! /bin/sh exec su nobody -c /usr/etc/In.fingerd [ exec if you don't trust your sh to exec the last command of a script ]