From ddaniel@furlong.jpl.nasa.gov Mon Aug 26 09:30:25 1996 Received: from furlong.jpl.nasa.gov (furlong.jpl.nasa.gov [128.149.64.200]) by suburbia.net (8.7.4/Proff-950810) with SMTP id JAA24516 for ; Mon, 26 Aug 1996 09:30:14 +1000 Received: (from ddaniel@localhost) by furlong.jpl.nasa.gov (8.6.12/8.6.9) id QAA04110; Sun, 25 Aug 1996 16:29:27 -0700 Message-Id: <199608252329.QAA04110@furlong.jpl.nasa.gov> To: leitner@math.fu-berlin.de (Felix von Leitner) Cc: best-of-security@suburbia.net Subject: Re: BoS: cfingerd possible security hole In-reply-to: Your message of Sun, 25 Aug 1996 20:40:01 +0200. Date: Sun, 25 Aug 1996 16:29:26 PDT From: Daniel Bromberg > Let me take this opportunity to spread unsolicited advertisement for my > finger daemon: > > ftp://ftp.prz.tu-berlin.de/pub/unix/security/ffingerd > > It comes with autoconf support, is supposed to run as nobody, does > paranoid syslogging and does not allow @host queries and symlinks as > .forward. [?fingerlog?] > It does not give away things like the users' shell and home > directory. Note that we shouldn't forget about the old /bin/mail-type race condition. Checking for a symlink doesn't mean it won't be a few ticks later when the file is actually open()'d and written to. While fingerd should be run as nobody people might get still run it as root. Is there a secure way to check-for-non-symlink-and-open atomically? Probably not, and thus a better algorithm is to follow the symlinks to the actual file, and check the permissions on it. Daniel Bromberg, Co-op ddaniel@mit.edu M/S 171-300 (818) 393-3872 Jet Propulsion Laboratory 4800 Oak Grove Dr. Pasadena, CA 91109