Re: finger

To: Rostislav Vorobyev <rost@tiger.net2-ff.dsu.dp.ua>
Cc: debian-user@lists.debian.org, debian-isp@lists.debian.org
Subject: Re: finger
From: Lindsay Haisley <fmouse@fmp.com>
Date: Mon, 22 May 2000 02:25:45 -0500
Message-id: <[🔎] 20000522022545.I15341@donjon.fmp.com>
Reply-to: fmouse@fmp.com
In-reply-to: <[🔎] Pine.LNX.4.05.10005220656160.18656-100000@tiger.net2-ff.dsu.dp.ua>; from Rostislav Vorobyev on Mon, May 22, 2000 at 07:01:00AM +0000
References: <[🔎] Pine.LNX.4.05.10005220656160.18656-100000@tiger.net2-ff.dsu.dp.ua>

It's possible to make .plan or .project to be named pipes, which means that
the act of reading them can cause code to be executed.  If finger executes
suid root, then said code can execute as root.  The potential for mischief
should be obvious.

Thus spake Rostislav Vorobyev on Mon, May 22, 2000 at 02:01:00AM CDT
> Dear friends,
> 
> Can someone explain me why people are not set 4755 permission on a finger
> program? I see good reasons to do that: if a user does not allow to see
> his/her ~user tree, finger will display .plan, .project and maybe .pgp --
> depends on finger version -- in any case. Maybe is there the special
> reasons do not do that? Security? Else?
> 
> 
> Thank you in advance,
> 
> Rost
> 
> 
> 
> -- 
> Unsubscribe?  mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
> 

-- 
Lindsay Haisley       | "Everything works    |     PGP public key
FMP Computer Services |       if you let it" |      available at
fmouse@fmp.com        |    (The Roadie)      | <http://www.fmp.com/pubkeys>
http://www.fmp.com    |                      |

Reply to:

Follow-Ups:
- Re: finger
  - From: Oswald Buddenhagen <ob6@inf.tu-dresden.de>

References:
- finger
  - From: Rostislav Vorobyev <rost@tiger.net2-ff.dsu.dp.ua>

Prev by Date: Re: finger
Next by Date: Unidentified subject!
Previous by thread: Re: finger
Next by thread: Re: finger
Index(es):
- Date
- Thread