From owner-freebsd-security  Mon Oct  2 18: 3:11 2000
Delivered-To: freebsd-security@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id 915F837B502; Mon,  2 Oct 2000 18:03:03 -0700 (PDT)
Received: (from kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id SAA46224;
	Mon, 2 Oct 2000 18:03:03 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
Date: Mon, 2 Oct 2000 18:03:03 -0700
From: Kris Kennaway <kris@FreeBSD.org>
To: Joseph Scott <joseph.scott@owp.csus.edu>
Cc: Brian Somers <brian@FreeBSD.ORG>, cvs-committers@FreeBSD.ORG,
	cvs-all@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
Subject: Re: cvs commit: src/usr.bin/finger finger.c
Message-ID: <20001002180303.A40584@freefall.freebsd.org>
References: <200010022227.PAA62603@freefall.freebsd.org> <39D92E08.E00CF2E4@owp.csus.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <39D92E08.E00CF2E4@owp.csus.edu>; from joseph.scott@owp.csus.edu on Mon, Oct 02, 2000 at 05:53:28PM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Oct 02, 2000 at 05:53:28PM -0700, Joseph Scott wrote:

> but it seems to point to this "feature" being added somewhere between
> Jan 27 and Sep 14 (about the last world builds for these two
> machines).

It was added just before 4.1.1, and since finger runs as user nobody
it only allows reading those files. The annoying thing is that I still
have this commit flagged in my cvs folder because it seemed
potentially dangerous, but I never got to looking at it and I didnt
notice it had been MFCed. Oh well, too late now - at least it was
caught in relatively short order :-)

Kris

--
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message