Re: Finger daemons in Debian should use a virtual package
On 2000-05-22 at 23:28 -0800, Ethan Benson wrote:
> On Tue, May 23, 2000 at 02:35:40AM -0400, Mike Bilow wrote:
* * *
> > This seems like a bit of work, honestly. Finger daemons are easy to
> > write, so they have often provided egregious security vulnerabilities.
> > Given that history, I am not sure this is such a good idea, anyway.
>
> how absurd! the excuse for stupid security flaws in huge complicated
> software is `oh theres so much code to audit and do right!!' and now
> the excuse for tiny trivially simple programs is that they are small
> and easy to screw up?? come now, some silly little finger daemon
> should be fully auditable in a weekend or less, just audit it every
> weekend for 2 months and you should have the most secure finger ever!
No, no... the superfinger daemon would be easily auditable. What I mean
is that it would a security nightmare to run a superfinger daemon that
allowed, say, each user to choose what binary is executed when their user
account is fingered. After all, a finger daemon should usually run with
extremely low privilege anyway, usually as "nobody," but it is the loss
of centralized control of what gets run from inetd which poses risk.
> [note to humor impaired: im not flaming just mocking the absurdity of
> unsecure fingers]
I did not take your reply as a flame at all. It was my own fault for not
explaining myself more clearly.
-- Mike
Reply to: