Home page logo

bugtraq logo Bugtraq mailing list archives

Re: in.fingerd follows sym-links on Solaris 8
From: Darren Moffat <Darren.Moffat () eng sun com>
Date: Fri, 25 May 2001 12:54:33 -0700 (PDT)

Ok, the example wasn't good.
It was a long day for me, thus, please forgive me that slip-up.

This is certainly a much better example, but:

On example, many httpd servers works with the same privilages,
it means that you can read any CGI temporary file, and other
files readable only by CGI scripts.

httpd servers shouldn't be running as user nobody they should be
running as user www or something similar.

I think about a case where a CGI script saves some important
information in a temporary file, like PHP do with the sessions:

 -rw------- 1 nobody nobody    329 May 14 12:16  /tmp/sess_0cd156a633

The bug is in one of PHP/CGI/httpd NOT in in.fingerd.

nobody has a very special meaning, it is the user id that root gets mapped
to over NFS.  It was created for that reason and that reason alone, it
is NOT a general purpose account to run daemons or cgi or anything else
under.  If applications need to run as a user other than root then they
should have a user for that application, eg Oracle DB server runs as
the user oracle.

in.fingerd is a special case and it is running as nobody explicitly because
there should be no sensitive files that are owned by the nobody user.  If
you have a system where there are local files that are owned by nobody
then you have a configuration error or a bug in another application but it
isn't in.fingerd's problem.

Darren J Moffat

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]