From owner-cvs-all  Thu Oct  5 14:27:12 2000
Delivered-To: cvs-all@freebsd.org
Received: from Awfulhak.org (tun.AwfulHak.org [194.242.139.173])
	by hub.freebsd.org (Postfix) with ESMTP
	id B743337B66C; Thu,  5 Oct 2000 14:27:00 -0700 (PDT)
Received: from hak.lan.Awfulhak.org (root@hak.lan.awfulhak.org [172.16.0.12])
	by Awfulhak.org (8.11.0/8.11.0) with ESMTP id e95LMUB06255;
	Thu, 5 Oct 2000 22:22:30 +0100 (BST)
	(envelope-from brian@hak.lan.Awfulhak.org)
Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1])
	by hak.lan.Awfulhak.org (8.11.1/8.11.0) with ESMTP id e95LLEn36406;
	Thu, 5 Oct 2000 22:21:14 +0100 (BST)
	(envelope-from brian@hak.lan.Awfulhak.org)
Message-Id: <200010052121.e95LLEn36406@hak.lan.Awfulhak.org>
X-Mailer: exmh version 2.1.1 10/15/1999
To: Kris Kennaway <kris@citusc.usc.edu>
Cc: Brian Somers <brian@Awfulhak.org>,
	Ruslan Ermilov <ru@FreeBSD.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org, brian@Awfulhak.org
Subject: Re: cvs commit: src/usr.bin/finger finger.c 
In-Reply-To: Message from Kris Kennaway <kris@citusc.usc.edu> 
   of "Thu, 05 Oct 2000 13:58:33 PDT." <20001005135833.A87853@citusc17.usc.edu> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 05 Oct 2000 22:21:14 +0100
From: Brian Somers <brian@Awfulhak.org>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> On Thu, Oct 05, 2000 at 06:15:31PM +0100, Brian Somers wrote:
> > > ru          2000/10/05 08:56:13 PDT
> > > 
> > >   Modified files:
> > >     usr.bin/finger       finger.c 
> > >   Log:
> > >   Do not allow `finger -m /somefile' as well.
> > >   
> > >   Revision  Changes    Path
> > >   1.21      +4 -4      src/usr.bin/finger/finger.c
> > 
> > Errum, thanks.  Can you mfc too ?
> 
> You know, perhaps after two security holes we should just
> back this darn thing out until someone can review it?

finger -m isn't runnable via fingerd.  This error gives local users 
read access to user ``nobody''s files.

If you've got no confidence in the code, I won't get in your way if 
you want to back it out.

> Kris

-- 
Brian <brian@Awfulhak.org>                        <brian@[uk.]FreeBSD.org>
      <http://www.Awfulhak.org>                   <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message