Path: utzoo!utgpu!watmath!clyde!att!rutgers!ukma!mailrus!cornell!uw-beaver!rice!sun-spots-request
From: pb%computer-lab.cambridge.ac.uk@nss.cs.ucl.ac.uk (Piete Brooks)
Newsgroups: comp.sys.sun
Subject: Re: Yet another finger hole
Message-ID: 
Date: 3 Dec 88 23:22:46 GMT
Sender: usenet@rice.edu
Organization: Rice University, Houston, Texas
Lines: 26
Approved: Sun-Spots@rice.edu
Original-Date: Wed, 23 Nov 88 9:10 GMT
X-Sun-Spots-Digest: Volume 7, Issue 36, message 4 of 12
X-Issue-Reference: v7n22

> The fix, as I see it, is to run a more reasonable inetd (like the 4.3BSD
> one, which allows you to specify the user as which a daemon should run),
> or to do:
> 	# chown nobody /usr/etc/in.fingerd
> 	# chgrp nobody /usr/etc/in.fingerd
> 	# chmod 6755 /usr/etc/in.fingerd
> This will make fingerd run as nobody.

********** DO NOT DO THIS without thinking VERY carefully ! **********

As I see it this allows anyone who accesses you machine as "nobody" (e.g.
root on an untrusted machine accessable to random undergrads) to gain root
access to your machine !

If they can mount your /usr/etc writable, then all they have to do is to
chmod in.fingerd (if people really DID set it writable by "nobody") so
that you can write it, insert your favourite program, chmod it to be NOT
setuid, then run a remote finger !

May I suggest moving /usr/etc/in.fingerd to (e.g.) /usr/etc/In.fingerd and
replacing it with a script:

#! /bin/sh
exec su nobody -c /usr/etc/In.fingerd

[ exec if you don't trust your sh to exec the last command of a script ]