Bugtraq mailing list archives
Re: Ffingerd privacy issues
From: eilon () ARISTO TAU AC IL (Eilon Gishri)
Date: Fri, 23 Apr 1999 22:00:08 +0300
On Fri, Apr 23, 1999 at 07:43:33PM +0200, Felix von Leitner wrote:
Thus spake Eilon Gishri (eilon () aristo tau ac il):I found a couple of bugs in ffingerd 1.19 which are related to privacy.OK. I would be happy if you email me (the author) first before publishing this on bugtraq. Next time, maybe.
I've e-mailed you and Cc-ed BugTraq. As my email includes a fix (A very complicated one I must say :)) I also notified the list. I'm not sure I would have done the same if I couldn't fix it myself.
[ffingerd assumes the user wants to be fingered if his home does not give public execute access]
Huh, It's opened if it's closed ?
This is documented in ffingerd. If you want ffingerd to look into protected homes, run it as root.
I want the machine itself to be protected and not only the users home directory. I consider it a feature when I don't have to run fingerd as root. Please don't consider it as a flame, I do like this utility and am using it.
----- (aristo)/cc/eilon>finger root@host.domain [host.domain] That user does not want to be fingered -----Hmmm, now for an unknown user.----- (aristo)/cc/eilon>finger root1@host.domain [host.domain] That user does not want to be fingered. -----Oops. Notice the dot ('.') at the end of the sentence. A very simple and efficient way to find whether the user exists on the remote host or not (taking into account the fact that ffingerd has been installed on the remote host).This has been pointed out to me yesterday. I fixed it today (before I saw this message, by the way), and announced version 1.20 on Freshmeat pointing out this fixed problem. Did you see my announcement and then posted to bugtraq?
Nope. I was playing with it on a machine which I would like to see all fingers which are done to it without giving away any "free" information
This is debatable. If a user wants privacy, he should remove the world readable permission, not the world executable permission.
I disagree.
I will not add this right now but think it over. If anyone wants to comment on the way to go here, feel free to email me. I would prefer discussion this in private email than on bugtraq, but if you must, I will also read bugtraq comments.
-- Eilon Gishri eilon () aristo tau ac il Security Consultant Office: +972-3-6406723 Israel Inter University Computation Center Fax: +972-3-6409118 /* On a matter of national security */ Home: +972-3-5078671
Current thread:
- Re: Bash Bug Andy Church (Apr 21)
- Re: Bash Bug Guy Cohen (Apr 22)
- WebShop advisory. Elaich Of Hhp (Apr 22)
- cold fusion scanner hYP0[13/\r (Apr 22)
- Re: Bash Bug Daniel Jacobowitz (Apr 22)
- Final Call for Papers - CQRE [Secure] networking Detlef Hühnlein (Apr 23)
- Ffingerd privacy issues Eilon Gishri (Apr 23)
- Re: Ffingerd privacy issues Felix von Leitner (Apr 23)
- Re: Ffingerd privacy issues Eilon Gishri (Apr 23)
- Re: Ffingerd privacy issues Dagmar d'Surreal (Apr 23)
- Re: Bash Bug Guy Cohen (Apr 22)
- Re: Bash Bug Ph. Rueegsegger (Apr 23)
- <Possible follow-ups>
- Re: Bash Bug Henrik Nordstrom (Apr 22)