From owner-cvs-all Tue Oct 3 0:30:55 2000 Delivered-To: cvs-all@freebsd.org Received: from unicorn.blackhats.org (unicorn.blackhats.org [194.109.83.155]) by hub.freebsd.org (Postfix) with ESMTP id 7C4FB37B502; Tue, 3 Oct 2000 00:30:46 -0700 (PDT) Received: by unicorn.blackhats.org (Postfix, from userid 1002) id 7918E12C18; Tue, 3 Oct 2000 09:30:03 +0200 (CEST) Date: Tue, 3 Oct 2000 09:30:03 +0200 From: The Unicorn To: Joseph Scott Cc: Brian Somers , cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: cvs commit: src/usr.bin/finger finger.c Message-ID: <20001003093003.F89835@unicorn.blackhats.org> References: <200010022227.PAA62603@freefall.freebsd.org> <39D92E08.E00CF2E4@owp.csus.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <39D92E08.E00CF2E4@owp.csus.edu>; from joseph.scott@owp.csus.edu on Mon, Oct 02, 2000 at 05:53:28PM -0700 X-Files: The Truth Is Out There! Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 02 Oct 2000, Joseph Scott supposedly wrote: > > Brian Somers wrote: > > > > brian 2000/10/02 15:27:34 PDT > > > > Modified files: > > usr.bin/finger finger.c > > Log: > > Don't allow finger /somefile, only allow filname expansions from > > inside /etc/finger.conf > > This is one of those things that makes me go ack! So I started > trying on a couple of my machines here. I tried it first against my > own notebook running 4.1. It worked just as expected when run up > against /etc/passwd@localhost. It did not work against a 3.4 machine > from notebook though. I haven't looked to much closer at that part, > but it seems to point to this "feature" being added somewhere between > Jan 27 and Sep 14 (about the last world builds for these two > machines). I found the following: [root @ me]:.../home/unicorn(2435)# finger /etc/passwd@localhost [localhost] finger: /etc/passwd: no such user [root @ me]:.../home/unicorn(2436)# uname -a FreeBSD me.xxx.org 4.0-STABLE FreeBSD 4.0-STABLE #0: Fri Jun 2 02:42:57 CEST 2000 root@me.xxx.org:/usr/src/sys/compile/ME i386 > Another thing I've noticed, it looks like it only works against world > readable files. So some couldn't do a finger > /etc/master.passwd@goodguysrus.com and expect something back. There > are of course plenty of world readable files on a system that I > wouldn't really want everyone and their fish to look at :-( > > I'm not a fan of finger in general, turning off inetd entirely is > part of a normal install for me. > > -- > Joseph Scott > joseph.scott@owp.csus.edu > The Office Of Water Programs - CSU Sacramento --- End of Quoted Text --- Ciao, Unicorn. -- ======= _ __,;;;/ TimeWaster ================================================ ,;( )_, )~\| A Truly Wise Man Never Plays PGP: 64 07 5D 4C 3F 81 22 73 ;; // `--; Leapfrog With A Unicorn... 52 9D 87 08 51 AA 35 F0 ==='= ;\ = | ==== Youth is Not a Time in Life, It is a State of Mind! ======= Echelon Teasers: NSA CIA FBI Mossad BVD MI5 Cocaine Cuba Revolution Espionage To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message