Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: in.fingerd follows sym-links on Solaris 8
From: "Matthew R. Potter" <mpotter () atpco com>
Date: Thu, 24 May 2001 13:47:18 -0400


I believe it could be dangeours in some cases, but people from
Sun says that they won't repair the in.fingerd because:

Well finger is enabled by default and it runs as nobody... so you can't
link to /etc/shadow... 

finger  stream  tcp6    nowait  nobody  /usr/sbin/in.fingerd    in.fingerd

I think finger even still bounces.. @host () host    

"There are may be legitimate reasons for finger to follow symlinks. If
finger is considered a security issue, it can be disabled. (..)"

I think it's an issue of, what is the point of fixing it? 


What do you think ?

I won't sleep at night over this one. 


Matt


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]