From owner-freebsd-hackers  Fri Aug 10 21:43:34 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from mail.chem.msu.ru (mail.chem.msu.ru [195.208.208.19])
	by hub.freebsd.org (Postfix) with ESMTP
	id DAE4637B40B; Fri, 10 Aug 2001 21:43:20 -0700 (PDT)
	(envelope-from yar@comp.chem.msu.su)
Received: from comp.chem.msu.su ([158.250.32.97]) by mail.chem.msu.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21)
	id NHPRWWM3; Sat, 11 Aug 2001 08:34:33 +0400
Received: (from yar@localhost)
	by comp.chem.msu.su (8.11.1/8.11.1) id f7B4hBu39151;
	Sat, 11 Aug 2001 08:43:11 +0400 (MSD)
	(envelope-from yar)
Date: Sat, 11 Aug 2001 08:43:10 +0400
From: Yar Tikhiy <yar@FreeBSD.ORG>
To: hackers@FreeBSD.ORG, security@FreeBSD.ORG
Subject: Re: finger/fingerd & home directory permissions
Message-ID: <20010811084310.B29956@comp.chem.msu.su>
References: <20010809020831.B44660@comp.chem.msu.su>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010809020831.B44660@comp.chem.msu.su>; from yar@FreeBSD.ORG on Thu, Aug 09, 2001 at 02:08:31AM +0400
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

On Thu, Aug 09, 2001 at 02:08:31AM +0400, Yar Tikhiy wrote:
> 
> Currently, finger(1) reveals user information if the user
> has created the ``.nofinger'' file, but his home directory
> is unreadable for finger(1).
> 
> In the case of local access, it's no problem, since anyone may read
> /etc/passwd directly. OTOH, letting remote folks peek at user
> information even if the user wants to hide himself is a bad thing.
> 
> The issue I'd like to submit to discussion is what way to choose:
> 
> a) Add a command-line option to finger(1) and fingerd(8) telling
>    them not to reveal user information if the user's homedir is
>    protected.
> 
> b) Similar to a), but hide such users by default.
> 
> c) Don't bother at all :-)

Thank everyone for your suggestions and comments. I'm going to take
the a) way.

-- 
Yar

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message