From owner-freebsd-audit  Sat Jul 28  5:30:20 2001
Delivered-To: freebsd-audit@freebsd.org
Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138])
	by hub.freebsd.org (Postfix) with ESMTP
	id 154A937B403; Sat, 28 Jul 2001 05:30:18 -0700 (PDT)
	(envelope-from dima@unixfreak.org)
Received: by bazooka.unixfreak.org (Postfix, from userid 1000)
	id E88223E2F; Sat, 28 Jul 2001 05:30:13 -0700 (PDT)
Received: from bazooka.unixfreak.org (localhost [127.0.0.1])
	by bazooka.unixfreak.org (Postfix) with ESMTP
	id D85BF3C12C; Sat, 28 Jul 2001 05:30:13 -0700 (PDT)
To: Yar Tikhiy <yar@freebsd.org>
Cc: audit@freebsd.org
Subject: Re: finger(1) & fingerd(8) 
In-Reply-To: <20010728155159.A35483@snark.rinet.ru>; from yar@freebsd.org on "Sat, 28 Jul 2001 15:51:59 +0400"
Date: Sat, 28 Jul 2001 05:30:08 -0700
From: Dima Dorfman <dima@unixfreak.org>
Message-Id: <20010728123013.E88223E2F@bazooka.unixfreak.org>
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-audit.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-audit>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-audit>
X-Loop: FreeBSD.ORG

Yar Tikhiy <yar@freebsd.org> writes:
> Hi,
> 
> Currently, finger(1) reveals user information if the user
> has created the ``.nofinger'' file, but his home directory
> is unreadable for finger(1).
> 
> In the case of local access, it's no problem, since anyone may read
> /etc/passwd directly. OTOH, letting remote folks peek at user
> information even if the user wants to hide himself is a bad thing.
> 
> Therefore, a patch is proposed that adds an option telling finger(1)
> fingerd(1) not to show users whose home directories are unreadable.
> 
> Another way is not to do the bad thing by default. Any comments?

This is just a review list, so it isn't the right place to propose
something like this.  -arch or -hackers would be better.

On another note, I think you should do the ".nofinger" ->
_PATH_NOFINGER separately.  That part (most likely) doesn't need a
discussion, so you can apply that now so your diff is less cluttered.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message