old gnu finger bugs

[jones () CNS UNI EDU (CS/Physics student)]

This is an old issue that has not be resolved.

Gnu finger version 1.37 which is downloadable from metalab has two old
security problems that date back to 1995.  Here are some of the original
posts.

http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-03-15&thread=199503181615.RAA03894 () trillian in 
tu-clausthal de

Both problems have to do with dropping permissions improperly.

1)
        If you allow support for users to use a .fingerrc, a program that
is run when you are fingerred.  That program gets run with group root
privileges.  This is because the author drops uid before gid and thus doesn't
have power to drop gid.

2)
        If you symlink your .plan, .forward, or .project to a file that
you want, you can read any file on the system when you finger yourself,
This is because the author does not drop permissions at all before reading
those files.

There are 3 ways to fix this.

1)
        Simply run the daemon as nobody out of inetd.conf.  This works well
but doesn't allow the .fingerrc to be run with the users permissions as the
author intended.

2)
        The erroneous code is in finger-1.37/lib/site/userinfo.c,  I have
included the diff below which I believe fixes this.     

251d250
<         setgid (user->pw_gid);
252a252
>         setgid (user->pw_gid);
478,482c478
<
<       /* Set uid/gid */
<       setgid (entry->pw_gid);
<       setuid (entry->pw_uid);
<

---
>

3)
        Don't run gnu finger.

Drew
-----
CS/Physics Student at the University of Northern Iowa