mailing list archives
old gnu finger bugs
From: jones () CNS UNI EDU (CS/Physics student)
Date: Wed, 21 Jul 1999 12:26:54 -0500
This is an old issue that has not be resolved.
Gnu finger version 1.37 which is downloadable from metalab has two old
security problems that date back to 1995. Here are some of the original
http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-03-15&thread=199503181615.RAA03894 () trillian in
Both problems have to do with dropping permissions improperly.
If you allow support for users to use a .fingerrc, a program that
is run when you are fingerred. That program gets run with group root
privileges. This is because the author drops uid before gid and thus doesn't
have power to drop gid.
If you symlink your .plan, .forward, or .project to a file that
you want, you can read any file on the system when you finger yourself,
This is because the author does not drop permissions at all before reading
There are 3 ways to fix this.
Simply run the daemon as nobody out of inetd.conf. This works well
but doesn't allow the .fingerrc to be run with the users permissions as the
The erroneous code is in finger-1.37/lib/site/userinfo.c, I have
included the diff below which I believe fixes this.
< setgid (user->pw_gid);
< /* Set uid/gid */
< setgid (entry->pw_gid);
< setuid (entry->pw_uid);
Don't run gnu finger.
CS/Physics Student at the University of Northern Iowa
- old gnu finger bugs CS/Physics student (Jul 21)