[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Secure Finger Daemon

Hi!

Well, running it chrooted will prevent it from accessing the .plan files and
all the other information you want to provide via finger service. At least if
you provide a correct chroot environment. Anything providing access to files
outside the chroot environment would be a security issue again. I mean, you
can actually update the information in the finger sandbox using some kind of
cronjob. This won't be accurate and may require some patches to the fingerd.
Better think about a different way to provide the information you want to
offer.

Best regards and happy thinking,
Oliver-who-is-quite-angry-about-getting-a-notebook-where-you-cant-run-linux-on
-without-severe-constraints-on-functionality ;)

> -----Original Message-----
> From: eim [mailto:eim@eimbox.org]
> Sent: Sunday, January 06, 2002 11:45 PM
> To: Debian-Security List
> Subject: Re: Secure Finger Daemon
>
>
> my Finger Daemon conclusion...
>
> First, Thanks for all the answers to my question.
>
> Well, so it really seems it's better to avoid using
> any finger daemon, security has always priority.
>
> Anyway I thought the finger daemon would be a nice
> feature for the .plan files, userinfo and mail info
> for the users of my box.
>
> Maybe running fingerd in a chrooted jail as not-root
> user would be a secure-like solution, got to think about it.
>
> Thanks again for all the replays,
> have a nice time...
>  -Ivo
>
> On Sat, 2002-01-05 at 19:09, eim wrote:
> > Hello,
> >
> > I'm planing to install a secure finger daemon
> > on one of the public boxes I admin.
> >
> > Well, out there are really many different finger
> > daemons and in the Debian stable tree I can find:
> >
> > 	* efingerd - Another finger daemon for unix
> > 		   capable of fine-tuning your output.
> > 	* xfingerd - BSD-like finger daemon with qmail support.
> > 	* ffingerd - A secure finger daemon
> > 	* fingerd - Remote user information server.
> > 	* cfingerd - Configurable and secure finger daemon
> >
> > So I've considered using fingered which should be secure.
> >
> > Often I hear and read about exploited finger daemons which
> > gave the attacker system access so I'm asking on this list
> > help about the F Daemon.
> >
> > Which Finger daemon is *really* secure ?
> > Shouldn't I install this service at all ?
> > Any experiences about compromised systems ?
> >
> > Thanks for any help !
> > Have a nice time,
> >  - Ivo
> >
> > --
> >
> >  »« »« »« »« »« »« »« »« »« »« »« »« »« »« »«
> >  Ivo Marino                    eim@eimbox.org
> >  UN*X Developer, running Debian GNU/Linux
> >  irc.OpenProjects.net #debian
> >  http://eimbox.org
> >  »« »« »« »« »« »« »« »« »« »« »« »« »« »« »«
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> >
> >
> --
>
>  »« »« »« »« »« »« »« »« »« »« »« »« »« »« »«
>  Ivo Marino                    eim@eimbox.org
>  UN*X Developer, running Debian GNU/Linux
>  irc.OpenProjects.net #debian
>  http://eimbox.org
>  »« »« »« »« »« »« »« »« »« »« »« »« »« »« »«
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
Reply to: