   It has been pointed out to me by Tony Nardo at APL
(trn@warper.jhuapl.edu) that there's yet another (smallish) problem with
finger under at least SunOS 3.X.  Basically, one can make a symlink from
one's own .plan to some protected file in another user's directory, then
take advantage of the fact that in.fingerd runs from inetd (which runs as
root) to read the "unreadable" file.

   The fix, as I see it, is to run a more reasonable inetd (like the 4.3BSD
one, which allows you to specify the user as which a daemon should run), or
to do:

	# chown nobody /usr/etc/in.fingerd
	# chgrp nobody /usr/etc/in.fingerd
	# chmod 6755 /usr/etc/in.fingerd

   This will make fingerd run as nobody.

   This problem is likely to exist in any system that doesn't provide a
4.3BSD-style inetd.conf.  Whether or not that includes SunOS 4.X, I don't
know, but I'd like to find out.

   This is sure the week for the security problems to come out of the
woodwork, isn't it!

	-Steve

Spoken: Steve Miller    Domain: steve@mimsy.umd.edu    UUCP: uunet!mimsy!steve
Phone: +1-301-454-1808  USPS: UMIACS, Univ. of Maryland, College Park, MD 20742
