Bugtraq mailing list archives
old gnu finger bugs
From: jones () CNS UNI EDU (CS/Physics student)
Date: Wed, 21 Jul 1999 12:26:54 -0500
This is an old issue that has not be resolved. Gnu finger version 1.37 which is downloadable from metalab has two old security problems that date back to 1995. Here are some of the original posts. http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-03-15&thread=199503181615.RAA03894 () trillian in tu-clausthal de Both problems have to do with dropping permissions improperly. 1) If you allow support for users to use a .fingerrc, a program that is run when you are fingerred. That program gets run with group root privileges. This is because the author drops uid before gid and thus doesn't have power to drop gid. 2) If you symlink your .plan, .forward, or .project to a file that you want, you can read any file on the system when you finger yourself, This is because the author does not drop permissions at all before reading those files. There are 3 ways to fix this. 1) Simply run the daemon as nobody out of inetd.conf. This works well but doesn't allow the .fingerrc to be run with the users permissions as the author intended. 2) The erroneous code is in finger-1.37/lib/site/userinfo.c, I have included the diff below which I believe fixes this. 251d250 < setgid (user->pw_gid); 252a252
setgid (user->pw_gid);
478,482c478 < < /* Set uid/gid */ < setgid (entry->pw_gid); < setuid (entry->pw_uid); < ---
3) Don't run gnu finger. Drew ----- CS/Physics Student at the University of Northern Iowa
Current thread:
- old gnu finger bugs CS/Physics student (Jul 21)