Debian bug report logs - #1674 fingerd allows recursion, -w forks two copies of the shell Package: netstd ; Reported by: Marek Michalkiewicz ; Done: "Peter Tobias" . ----------------------------------------------------------------------- Message received at debian-bugs-done: From server.et-inf.fho-emden.de!tobias Tue Oct 17 16:07:23 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0t5L6P-0005zAC; Tue, 17 Oct 95 16:07 PDT Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA04645 (5.67b/IDA-1.5 for debian-bugs-done-pipe@mongo.pixar.com); Tue, 17 Oct 1995 16:06:51 -0700 Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3) id AA26908; Tue, 17 Oct 1995 23:57:45 +0100 Message-Id: <9510172257.AA26908@server.et-inf.fho-emden.de> Subject: Re: Bug#1674: fingerd allows recursion, -w forks two copies of the shell To: marekm@i17linuxb.ists.pwr.wroc.pl Date: Tue, 17 Oct 1995 23:57:45 +0100 (MET) From: "Peter Tobias" Cc: debian-bugs-done@pixar.com Reply-To: tobias@et-inf.fho-emden.de In-Reply-To: <199510131617.RAA02299@i17linuxb.ists.pwr.wroc.pl> from "Marek Michalkiewicz" at Oct 13, 95 05:17:03 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Content-Length: 1797 Marek Michalkiewicz wrote: > Package: netstd > Version: 1.17-1 > > It seems that the recursive finger problem has been attempted to solve > by using the "finger.atbug" patch from sunsite. This is wrong - this > problem needs to be solved in fingerd, not finger. Try to telnet to > the finger port on Debian GNU/MIT/BSD/Linux system (I think that is > the right name, to be fair :-), and type "user@host.some.domain" - > and it will finger the requested address (this is only one level of > recursion - but it is still not the right thing to do). > > The right fix is to check for '@' characters in fingerd, not finger. > > While we are at it, fingerd -w does system("/bin/sh -c /usr/bin/uptime") > and system() forks yet another copy of the shell... This only causes > unnecessary system overhead for every incoming finger request. At the > very least, I suggest to change that to system("/usr/bin/uptime"), or > (even better) use the classic fork/exec/wait piece of code to avoid > running the shell at all (just run /usr/bin/uptime directly). > > BTW, why does fingerd run as root? If there is a user "nobody" listed > in /etc/passwd, fingerd will change the uid to that user, but it would > be a little safer to specify "nobody" as the user in /etc/inetd.conf - > if getpwnam() fails (not necessarily because there is no user "nobody", > another reason may be just not enough memory and malloc returning NULL), > fingerd will still run as root... I'll close this bug report with this message. All bugs you mentioned have been fixed. Peter -- Peter Tobias EMail: Fachhochschule Ostfriesland tobias@et-inf.fho-emden.de Fachbereich Elektrotechnik und Informatik tobias@perseus.fho-emden.de Constantiaplatz 4, 26723 Emden, Germany ----------------------------------------------------------------------- Notification sent to Marek Michalkiewicz : Bug acknowledged by developer. Full text available. ----------------------------------------------------------------------- Reply sent to tobias@et-inf.fho-emden.de : You have taken responsibility. Full text available. ----------------------------------------------------------------------- Message received at debian-bugs: From simons-rock.edu!jimr Mon Oct 16 18:34:29 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0t50uy-0006F0C; Mon, 16 Oct 95 18:34 PDT Received: from plato.simons-rock.edu by pixar.com with SMTP id AA16676 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Mon, 16 Oct 1995 18:33:46 -0700 Received: from simons-rock.edu by plato.simons-rock.edu with smtp (Smail3.1.29.1 #1) id m0t50tz-0003JXC; Mon, 16 Oct 95 21:33 EDT Message-Id: To: Marek Michalkiewicz , debian-bugs@pixar.com Subject: Re: Bug#1674: fingerd allows recursion, -w forks two copies of the shell In-Reply-To: Message from Marek Michalkiewicz of "Fri, 13 Oct 1995 17:17:03 BST." <199510131617.RAA02299@i17linuxb.ists.pwr.wroc.pl> Date: Mon, 16 Oct 1995 21:33:10 -0400 From: "James A. Robinson" These are a forward of two messages that got messed up in transit Jim ------------------------------------------------------------------------------- Date: Fri, 13 Oct 1995 23:52:37 EDT From: "James A. Robinson" cc: Ian Jackson Subject: Re: Bug#1674: fingerd allows recursion, -w forks two copies of the she ***ll > It seems that the recursive finger problem has been attempted to solve > by using the "finger.atbug" patch from sunsite. This is wrong - this > problem needs to be solved in fingerd, not finger. Try to telnet to Perhaps people should look at kfingerd, I'm not sure how secure it is, but it seems fairly nice -- can block site-wide queries, can allow the user to log queries, can execute shell scripts on finger query, etc... As far as I can tell, it does not allow recursive finger probes. Jim P.S. Ian J., you're the only security person I know of, so I am cc'ing you. :) ------------------------------------------------------------------------------- Date: Tue, 17 Oct 1995 02:26:00 -0000 From: Ian Jackson To: "James A. Robinson" Subject: Re: Lost mail to iwj10@cus.cam.ac.uk Cheers. I'm not convinced that installing a new fingerd with more features (esp. being able to run shell scripts) will improve security, but I do think that having a range of software available is a good thing. Do we have a GNU fingerd package ? Obviously this is not the hottest security thing since sliced bread. The fingerd we have atm should be fixed (and reviewed to see if there are any other obvious sillinesses). Ian. ----------------------------------------------------------------------- Acknowledgement sent to "James A. Robinson" : Extra info received and forwarded. Full text available. ----------------------------------------------------------------------- Information forwarded to debian-devel@pixar.com : Bug#1674 ; Package netstd . Full text available. ----------------------------------------------------------------------- Message received at debian-bugs: From i17linuxb.ists.pwr.wroc.pl!marekm Fri Oct 13 09:17:19 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0t3mnP-000BbXC; Fri, 13 Oct 95 09:17 PDT Received: from i17linuxb.ists.pwr.wroc.pl by pixar.com with SMTP id AA11278 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Fri, 13 Oct 1995 09:16:51 -0700 Received: (from marekm@localhost) by i17linuxb.ists.pwr.wroc.pl (8.6.12/8.6.9) id RAA02299 for debian-bugs@pixar.com; Fri, 13 Oct 1995 17:17:07 +0100 From: Marek Michalkiewicz Message-Id: <199510131617.RAA02299@i17linuxb.ists.pwr.wroc.pl> Subject: fingerd allows recursion, -w forks two copies of the shell To: debian-bugs@pixar.com Date: Fri, 13 Oct 1995 17:17:03 +0100 (MET) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1387 Package: netstd Version: 1.17-1 It seems that the recursive finger problem has been attempted to solve by using the "finger.atbug" patch from sunsite. This is wrong - this problem needs to be solved in fingerd, not finger. Try to telnet to the finger port on Debian GNU/MIT/BSD/Linux system (I think that is the right name, to be fair :-), and type "user@host.some.domain" - and it will finger the requested address (this is only one level of recursion - but it is still not the right thing to do). The right fix is to check for '@' characters in fingerd, not finger. While we are at it, fingerd -w does system("/bin/sh -c /usr/bin/uptime") and system() forks yet another copy of the shell... This only causes unnecessary system overhead for every incoming finger request. At the very least, I suggest to change that to system("/usr/bin/uptime"), or (even better) use the classic fork/exec/wait piece of code to avoid running the shell at all (just run /usr/bin/uptime directly). BTW, why does fingerd run as root? If there is a user "nobody" listed in /etc/passwd, fingerd will change the uid to that user, but it would be a little safer to specify "nobody" as the user in /etc/inetd.conf - if getpwnam() fails (not necessarily because there is no user "nobody", another reason may be just not enough memory and malloc returning NULL), fingerd will still run as root... Marek ----------------------------------------------------------------------- Acknowledgement sent to Marek Michalkiewicz : New bug report received and forwarded. Full text available. ----------------------------------------------------------------------- Report forwarded to debian-devel@pixar.com : Bug#1674 ; Package netstd . Full text available. ----------------------------------------------------------------------- Ian Jackson / iwj10@thor.cam.ac.uk , with the debian-bugs tracking mechanism This page last modified 07:43:01 GMT Wed 01 Nov