Re: GNU finger 1.37 executes ~/.fingerrc with gid root

[cwe () it kth se (Christian Wettergren)]

| There is a bug in the `lib/site/userinfo.c' module of GNU finger version
| 1.37 allowing any user on a system to execute arbitrary commands with gid
| root from ~/.fingerrc. The problem is that GNU finger *first* changes its
| userid thus giving away root privileges and *then* tries to change its gid
| which will not succeed.

I would feel much more comfortable if the return values of setuid() and 
setgid() was checked. The current setup assumes the daemon is run as root.
If it is not (it wasn't at our site of "historical" reasons) it will 
keep it's spawned identity, not changing it at all. Without discovering this.

|                 /* Set uid/gid */
| -       setuid (user->pw_uid);
|         setgid (user->pw_gid);
|   
|         /* Set default directory */
|         chdir (user->pw_dir);
|   
|         /* Run ~/.fingerrc through user shell */
|   #ifdef FINGERRC_SHELL
|         execlp (FINGERRC_SHELL, FINGERRC_SHELL, "-c", file, NULL);
|   #else         
|         execlp (user->pw_shell, user->pw_shell, "-c", file, NULL);
|   #endif

/Christian Wettergren, cwe () it kth se