Date: Mon, 02 Oct 2000 17:53:28 -0700 From: Joseph Scott <joseph.scott@owp.csus.edu> To: Brian Somers <brian@FreeBSD.ORG> Cc: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: cvs commit: src/usr.bin/finger finger.c Message-ID: <39D92E08.E00CF2E4@owp.csus.edu> References: <200010022227.PAA62603@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Brian Somers wrote: > > brian 2000/10/02 15:27:34 PDT > > Modified files: > usr.bin/finger finger.c > Log: > Don't allow finger /somefile, only allow filname expansions from > inside /etc/finger.conf This is one of those things that makes me go ack! So I started trying on a couple of my machines here. I tried it first against my own notebook running 4.1. It worked just as expected when run up against /etc/passwd@localhost. It did not work against a 3.4 machine from notebook though. I haven't looked to much closer at that part, but it seems to point to this "feature" being added somewhere between Jan 27 and Sep 14 (about the last world builds for these two machines). Another thing I've noticed, it looks like it only works against world readable files. So some couldn't do a finger /etc/master.passwd@goodguysrus.com and expect something back. There are of course plenty of world readable files on a system that I wouldn't really want everyone and their fish to look at :-( I'm not a fan of finger in general, turning off inetd entirely is part of a normal install for me. -- Joseph Scott joseph.scott@owp.csus.edu The Office Of Water Programs - CSU Sacramento To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39D92E08.E00CF2E4>