From ddaniel@furlong.jpl.nasa.gov  Mon Aug 26 09:30:25 1996
Received: from furlong.jpl.nasa.gov (furlong.jpl.nasa.gov [128.149.64.200]) by suburbia.net (8.7.4/Proff-950810) with SMTP id JAA24516 for <best-of-security@suburbia.net>; Mon, 26 Aug 1996 09:30:14 +1000
Received: (from ddaniel@localhost) by furlong.jpl.nasa.gov (8.6.12/8.6.9) id QAA04110; Sun, 25 Aug 1996 16:29:27 -0700
Message-Id: <199608252329.QAA04110@furlong.jpl.nasa.gov>
To: leitner@math.fu-berlin.de (Felix von Leitner)
Cc: best-of-security@suburbia.net
Subject: Re: BoS: cfingerd possible security hole 
In-reply-to: Your message of Sun, 25 Aug 1996 20:40:01 +0200.
             <m0uuk6L-000JHPC@maddison.math.fu-berlin.de> 
Date: Sun, 25 Aug 1996 16:29:26 PDT
From: Daniel Bromberg <ddaniel@furlong.jpl.nasa.gov>

> Let me take this opportunity to spread unsolicited advertisement for my
> finger daemon:
> 
>   ftp://ftp.prz.tu-berlin.de/pub/unix/security/ffingerd
> 
> It comes with autoconf support, is supposed to run as nobody, does
> paranoid syslogging and does not allow @host queries and symlinks as
> .forward. [?fingerlog?]
> It does not give away things like the users' shell and home
> directory.

Note that we shouldn't forget about the old /bin/mail-type race
condition.  Checking for a symlink doesn't mean it won't be a few
ticks later when the file is actually open()'d and written to. While
fingerd should be run as nobody people might get still run it as root.
Is there a secure way to check-for-non-symlink-and-open atomically?
Probably not, and thus a better algorithm is to follow the symlinks to
the actual file, and check the permissions on it.

						Daniel Bromberg, Co-op
						ddaniel@mit.edu
						M/S 171-300 (818) 393-3872
						Jet Propulsion Laboratory
						4800 Oak Grove Dr.
						Pasadena, CA 91109