From owner-freebsd-bugs Wed Oct 18 12:23:30 1995 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id MAA18031 for bugs-outgoing; Wed, 18 Oct 1995 12:23:30 -0700 Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by freefall.freebsd.org (8.6.12/8.6.6) with SMTP id MAA18021 for ; Wed, 18 Oct 1995 12:23:23 -0700 Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <17842(5)>; Wed, 18 Oct 1995 11:42:33 PDT Received: from localhost by crevenia.parc.xerox.com with SMTP id <177487>; Wed, 18 Oct 1995 11:40:06 -0700 X-Mailer: exmh version 1.6.1 5/23/95 To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) cc: dv@xkis.nnov.su (Dmitry Valdov), freebsd-bugs@freebsd.org Subject: Re: secure finger is not enought secure In-reply-to: Your message of "Sat, 14 Oct 95 10:56:45 PDT." <199510141756.SAA11380@uriah.heep.sax.de> Mime-Version: 1.0 Content-Type: multipart/mixed ; boundary="===_0_Wed_Oct_18_11:37:54_PDT_1995" Date: Wed, 18 Oct 1995 11:39:56 PDT From: Bill Fenner Message-Id: <95Oct18.114006pdt.177487@crevenia.parc.xerox.com> Sender: owner-bugs@freebsd.org Precedence: bulk This is a multipart MIME message. --===_0_Wed_Oct_18_11:37:54_PDT_1995 Content-Type: text/plain; charset=us-ascii In message <199510141756.SAA11380@uriah.heep.sax.de> J"org wrote: >> merahq: {2} telnet localhost finger >> Trying 127.0.0.1... >> Connected to localhost. >> Escape character is '^]'. > >This is an entirely different matter. It's not the finger service as >invoked via inetd(8). If you've already got access to the local >machine, it doesn't make sense if you couldn't run finger locally. It is indeed the finger service as invoked via inetd, and although it was perhaps a bad example, it does indeed work remotely. In fact, you can pass any options to finger, including getting the normal finger output: crevenia% telnet baobab finger Trying 13.2.116.113 ... Connected to baobab. Escape character is '^]'. -- Login Name TTY Idle Login Time Office Office Phone fenner Bill Fenner *v1 13d Oct 4 13:12 fenner Bill Fenner p0 13d Oct 4 13:14 fenner Bill Fenner p1 Oct 10 13:23 root Charlie Root *v0 13d Oct 4 13:11 Connection closed by foreign host. The attached diff should fix it; this might perhaps want to be in 2.1 (or at least documented as insecure!). It only counts things without leading dashes as usernames. Bill --===_0_Wed_Oct_18_11:37:54_PDT_1995 Content-Type: text/plain; charset=us-ascii Content-Description: fingerd.c.diff --- fingerd.c.orig Wed Oct 18 11:32:54 1995 +++ fingerd.c Wed Oct 18 11:45:16 1995 @@ -67,7 +67,7 @@ register char *lp; struct hostent *hp; struct sockaddr_in sin; - int p[2], logging, secure, sval; + int p[2], logging, secure, sval, gotuser; #define ENTRIES 50 char **ap, *av[ENTRIES + 1], **comp, line[1024], *prog; @@ -107,13 +107,10 @@ exit(1); comp = &av[1]; + gotuser = 0; for (lp = line, ap = &av[2];;) { *ap = strtok(lp, " \t\r\n"); if (!*ap) { - if (secure && ap == &av[2]) { - puts("must provide username\r\n"); - exit(1); - } break; } if (secure && strchr(*ap, '@')) { @@ -126,9 +123,17 @@ av[1] = "-l"; comp = &av[0]; } - else if (++ap == av + ENTRIES) - break; + else { + if ((*ap)[0] != '-') + gotuser++; + if (++ap == av + ENTRIES) + break; + } lp = NULL; + } + if (secure && !gotuser) { + puts("must provide username\r\n"); + exit(1); } if (lp = strrchr(prog, '/')) --===_0_Wed_Oct_18_11:37:54_PDT_1995--