Debian bug report logs - #1674, boring messages


Message sent to debian-devel@pixar.com:


Subject: Bug#1674: fingerd allows recursion, -w forks two copies of the shell
Reply-To: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>, debian-bugs@pixar.com
Resent-From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
Resent-To: debian-devel@pixar.com
Resent-Date: Fri, 13 Oct 1995 16:33:01 GMT
Resent-Message-ID: <debian-bugs-handler.1674.B10131619240@pixar.com>
Resent-Sender: iwj10@cus.cam.ac.uk
X-Debian-PR-Package: netstd
X-Debian-PR-Keywords: 
Received: via spool for debian-bugs; Fri, 13 Oct 1995 16:33:01 GMT
Received: with rfc822 via encapsulated-mail; Fri, 13 Oct 1995 16:19:22 GMT
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t3mnP-000BbXC; Fri, 13 Oct 95 09:17 PDT
Received: from i17linuxb.ists.pwr.wroc.pl by pixar.com with SMTP id AA11278
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Fri, 13 Oct 1995 09:16:51 -0700
Received: (from marekm@localhost) by i17linuxb.ists.pwr.wroc.pl (8.6.12/8.6.9) id RAA02299 for debian-bugs@pixar.com; Fri, 13 Oct 1995 17:17:07 +0100
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
Message-Id: <199510131617.RAA02299@i17linuxb.ists.pwr.wroc.pl>
To: debian-bugs@pixar.com
Date: Fri, 13 Oct 1995 17:17:03 +0100 (MET)
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Content-Length: 1387

Package: netstd
Version: 1.17-1

It seems that the recursive finger problem has been attempted to solve
by using the "finger.atbug" patch from sunsite.  This is wrong - this
problem needs to be solved in fingerd, not finger.  Try to telnet to
the finger port on Debian GNU/MIT/BSD/Linux system (I think that is
the right name, to be fair :-), and type "user@host.some.domain" -
and it will finger the requested address (this is only one level of
recursion - but it is still not the right thing to do).

The right fix is to check for '@' characters in fingerd, not finger.

While we are at it, fingerd -w does system("/bin/sh -c /usr/bin/uptime")
and system() forks yet another copy of the shell...  This only causes
unnecessary system overhead for every incoming finger request.  At the
very least, I suggest to change that to system("/usr/bin/uptime"), or
(even better) use the classic fork/exec/wait piece of code to avoid
running the shell at all (just run /usr/bin/uptime directly).

BTW, why does fingerd run as root?  If there is a user "nobody" listed
in /etc/passwd, fingerd will change the uid to that user, but it would
be a little safer to specify "nobody" as the user in /etc/inetd.conf -
if getpwnam() fails (not necessarily because there is no user "nobody",
another reason may be just not enough memory and malloc returning NULL),
fingerd will still run as root...

Marek


Message sent:


From: iwj10@thor.cam.ac.uk (Ian Jackson)
To: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
Subject: Bug#1674: Acknowledgement (was: fingerd allows recursion, -w forks two copies of the shell)
In-Reply-To: <199510131617.RAA02299@i17linuxb.ists.pwr.wroc.pl>
References: <199510131617.RAA02299@i17linuxb.ists.pwr.wroc.pl>

Thank you for the problem report you have sent regarding Debian GNU/Linux.
This is an automatically generated reply, to let you know your message has
been received.  It is being forwarded to the developers' mailing list for
their attention; they will reply in due course.

If you wish to submit further information on your problem, please send
it to debian-bugs@pixar.com, but please ensure that the Subject
line of your message starts with "Bug#1674" or "Re: Bug#1674" so that
we can identify it as relating to the same problem.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.

Ian Jackson
(maintainer, debian-bugs)


Message sent to debian-devel@pixar.com:


Subject: Bug#1674: fingerd allows recursion, -w forks two copies of the shell
Reply-To: "James A. Robinson" <jimr@simons-rock.edu>, debian-bugs@pixar.com
Resent-From: "James A. Robinson" <jimr@simons-rock.edu>
Resent-To: debian-devel@pixar.com
Resent-Date: Tue, 17 Oct 1995 01:48:01 GMT
Resent-Message-ID: <debian-bugs-handler.1674.B10170135350@pixar.com>
Resent-Sender: iwj10@cus.cam.ac.uk
X-Debian-PR-Package: netstd
X-Debian-PR-Keywords: 
Received: via spool for debian-bugs; Tue, 17 Oct 1995 01:48:01 GMT
Received: with rfc822 via encapsulated-mail; Tue, 17 Oct 1995 01:35:32 GMT
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t50uy-0006F0C; Mon, 16 Oct 95 18:34 PDT
Received: from plato.simons-rock.edu by pixar.com with SMTP id AA16676
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Mon, 16 Oct 1995 18:33:46 -0700
Received: from simons-rock.edu by plato.simons-rock.edu with smtp
	(Smail3.1.29.1 #1) id m0t50tz-0003JXC; Mon, 16 Oct 95 21:33 EDT
Message-Id: <m0t50tz-0003JXC@plato.simons-rock.edu>
To: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>,
        debian-bugs@pixar.com
In-Reply-To: Message from Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
   of "Fri, 13 Oct 1995 17:17:03 BST." <199510131617.RAA02299@i17linuxb.ists.pwr.wroc.pl>
Date: Mon, 16 Oct 1995 21:33:10 -0400
From: "James A. Robinson" <jimr@simons-rock.edu>


These are a forward of two messages that got messed up in transit


Jim
-------------------------------------------------------------------------------
Date:    Fri, 13 Oct 1995 23:52:37 EDT
From:    "James A. Robinson" <jimr@simons-rock.edu>
cc:      Ian Jackson <iwj10@cus.cam.ac.uk>
Subject: Re: Bug#1674: fingerd allows recursion, -w forks two copies of the she
     ***ll

> It seems that the recursive finger problem has been attempted to solve
> by using the "finger.atbug" patch from sunsite.  This is wrong - this
> problem needs to be solved in fingerd, not finger.  Try to telnet to

Perhaps people should look at kfingerd, I'm not sure how secure it is,
but it seems fairly nice -- can block site-wide queries, can allow the
user to log queries, can execute shell scripts on finger query, etc...

As far as I can tell, it does not allow recursive finger probes.


Jim
P.S. Ian J., you're the only security person I know of, so I
     am cc'ing you. :)

-------------------------------------------------------------------------------
Date:    Tue, 17 Oct 1995 02:26:00 -0000
From:    Ian Jackson <ian@chiark.chu.cam.ac.uk>
To:      "James A. Robinson" <jimr@simons-rock.edu>
Subject: Re: Lost mail to iwj10@cus.cam.ac.uk


Cheers.

I'm not convinced that installing a new fingerd with more features
(esp. being able to run shell scripts) will improve security, but I do
think that having a range of software available is a good thing.

Do we have a GNU fingerd package ?  Obviously this is not the hottest
security thing since sliced bread.

The fingerd we have atm should be fixed (and reviewed to see if there
are any other obvious sillinesses).

Ian.


Message sent:


From: iwj10@thor.cam.ac.uk (Ian Jackson)
To: "James A. Robinson" <jimr@simons-rock.edu>
Subject: Bug#1674: Info received (was Bug#1674: fingerd allows recursion, -w forks two copies of the shell)
In-Reply-To: <m0t50tz-0003JXC@plato.simons-rock.edu>
References: <m0t50tz-0003JXC@plato.simons-rock.edu>

Thank you for the additional information you have supplied regarding
this problem report.  It has been forwarded to the developers to
accompany the original report.

If you wish to continue to submit further information on your problem,
please do the same thing again: send it to debian-bugs@pixar.com, ensuring
that the Subject line starts with "Bug#1674" or "Re: Bug#1674" so that
we can identify it as relating to the same problem.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.

Ian Jackson
(maintainer, debian-bugs)


Message sent:


From: iwj10@thor.cam.ac.uk (Ian Jackson)
To: tobias@et-inf.fho-emden.de
In-Reply-To: <9510172257.AA26908@server.et-inf.fho-emden.de>
References: <9510172257.AA26908@server.et-inf.fho-emden.de> <199510131617.RAA02299@i17linuxb.ists.pwr.wroc.pl>
Subject: Bug#1674: marked as done (was: fingerd allows recursion, -w forks two copies of the shell)

Your message dated Tue, 17 Oct 1995 23:57:45 +0100 (MET)
with message-id <9510172257.AA26908@server.et-inf.fho-emden.de>
and subject line Bug#1674: fingerd allows recursion, -w forks two copies of the shell
has caused the attached bug report to be marked as done.

It is your now responsibility to ensure that the bug report is dealt
with.

(NB: If you are a system administrator and have no idea what I'm
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Ian Jackson
(maintainer, debian-bugs)

Received: with rfc822 via encapsulated-mail; Fri, 13 Oct 1995 16:19:22 GMT
From i17linuxb.ists.pwr.wroc.pl!marekm Fri Oct 13 09:17:19 1995
Return-Path: <marekm@i17linuxb.ists.pwr.wroc.pl>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t3mnP-000BbXC; Fri, 13 Oct 95 09:17 PDT
Received: from i17linuxb.ists.pwr.wroc.pl by pixar.com with SMTP id AA11278
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Fri, 13 Oct 1995 09:16:51 -0700
Received: (from marekm@localhost) by i17linuxb.ists.pwr.wroc.pl (8.6.12/8.6.9) id RAA02299 for debian-bugs@pixar.com; Fri, 13 Oct 1995 17:17:07 +0100
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
Message-Id: <199510131617.RAA02299@i17linuxb.ists.pwr.wroc.pl>
Subject: fingerd allows recursion, -w forks two copies of the shell
To: debian-bugs@pixar.com
Date: Fri, 13 Oct 1995 17:17:03 +0100 (MET)
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Content-Length: 1387

Package: netstd
Version: 1.17-1

It seems that the recursive finger problem has been attempted to solve
by using the "finger.atbug" patch from sunsite.  This is wrong - this
problem needs to be solved in fingerd, not finger.  Try to telnet to
the finger port on Debian GNU/MIT/BSD/Linux system (I think that is
the right name, to be fair :-), and type "user@host.some.domain" -
and it will finger the requested address (this is only one level of
recursion - but it is still not the right thing to do).

The right fix is to check for '@' characters in fingerd, not finger.

While we are at it, fingerd -w does system("/bin/sh -c /usr/bin/uptime")
and system() forks yet another copy of the shell...  This only causes
unnecessary system overhead for every incoming finger request.  At the
very least, I suggest to change that to system("/usr/bin/uptime"), or
(even better) use the classic fork/exec/wait piece of code to avoid
running the shell at all (just run /usr/bin/uptime directly).

BTW, why does fingerd run as root?  If there is a user "nobody" listed
in /etc/passwd, fingerd will change the uid to that user, but it would
be a little safer to specify "nobody" as the user in /etc/inetd.conf -
if getpwnam() fails (not necessarily because there is no user "nobody",
another reason may be just not enough memory and malloc returning NULL),
fingerd will still run as root...

Marek


Message sent:


From: iwj10@thor.cam.ac.uk (Ian Jackson)
To: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
Subject: Bug#1674 acknowledged by developer (was: fingerd allows recursion, -w forks two copies of the shell)
References: <9510172257.AA26908@server.et-inf.fho-emden.de> <199510131617.RAA02299@i17linuxb.ists.pwr.wroc.pl>
In-Reply-To: <199510131617.RAA02299@i17linuxb.ists.pwr.wroc.pl>

This is an automatic notification regarding your bug report.

Responsibility for it has been taken by one of the developers, namely
"Peter Tobias" <tobias@server.et-inf.fho-emden.de> (reply to tobias@et-inf.fho-emden.de).

You should be hearing from them with a substantive response shortly, if
you have not already done so.  If not, please contact them directly,
or email debian-bugs@pixar.com or myself.

Ian Jackson
(maintainer, debian-bugs)


Ian Jackson / iwj10@thor.cam.ac.uk, with the debian-bugs tracking mechanism
This page last modified 07:43:01 GMT Wed 01 Nov