Re: CFINGERD security hole


Tadek Knapik (tadek@nautilus.uwoj.krakow.pl)
Mon, 19 Oct 1998 08:16:17 +0200


        Hi,

        The proposed fix to cfingerd does its job, but is not a
solution, when it comes to expand cfingerd's capabilities, eg. add
reading user configuration files. Dropping all privs at NOBODY_PRIVS
causes losing it very early, when reading wtmp, tty, while afaik it
is needed only before execution of user files (and I assume it would
be nice, if .cfingerrc could be mode 0600). I decided to do it
another way - along with NOBODY_PRIVS (used before opening files)
there is DROP_ALL_PRIVS, used before showing .plan and such (and therefore
before execution of any user chosen programs).
        Imho it is a little bit more clear and "proper" way to do it, as well
as enables possibility non public .cfingerrc files. The results of my work
on cfingerd (added user configuration files, and a buch of other fixes/
improvements) were sent to Martin Schulze (a while ago:) with proposal of
making it a version 1.3.3. You can find it all at
 ftp://nautilus.uwoj.krakow.pl/pub/cfingerd/ (.tar.gz and S/RPM for RH)

        It is named beta, but I find no problems with it using for two
months now. For a list of complete changes, I suggest reading the
UPDATES file.
        Sincerely,

                                                Tadek Knapik

        PS. I would send it to security@debian.org as well if I was
sure it is not "defeating the purpose of this list" :)

-- 
----------------------------------------------------------------------
|   Tadek Knapik (TxF on #amigapl)    //   "Be yourself, no matter   |
|   tadek@nautilus.uwoj.krakow.pl   \X/     what they say" - Sting   |
----------------------------------------------------------------------
| I use an account provided by my employer; however, my employer in  |
| no way endorses any action or statement of mine, unless stated so. |
----------------------------------------------------------------------



This archive was generated by hypermail 2.0b3 on Sun Aug 08 1999 - 10:46:58 CEST