COMMAND

    fingerd

SYSTEMS AFFECTED

    Those using GNU fingerd.

PROBLEM

    Andrew Jones posted following.  This is an old issue that has  not
    be resolved.  Gnu finger  version 1.37 which is downloadable  from
    metalab has  two old  security problems  that date  back to  1995.
    Here are some of the original posts.

        http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-03-15&thread=199503181615.RAA03894@trillian.in.tu-clausthal.de

    Both problems have to do with dropping permissions improperly.

    1) If you allow  support for users to  use a .fingerrc, a  program
       that is run when you are fingerred.  That program gets run with
       group root privileges.   This is because  the author drops  uid
       before gid and thus doesn't have power to drop gid.

    2) If you symlink your .plan, .forward, or .project to a file that
       you want, you can read any  file on the system when you  finger
       yourself.  This is because the author does not drop permissions
       at all before reading those files.

SOLUTION

    There are 3 ways to fix this.

    1) Simply run the daemon as nobody out of inetd.conf.  This  works
       well but doesn't allow the  .fingerrc to be run with  the users
       permissions as the author intended.

    2) The  erroneous  code  is  in   finger-1.37/lib/site/userinfo.c,
       Andrew has included the diff below which fixes this:

        251d250
        <  setgid (user->pw_gid);
        252a252
        > 	  setgid (user->pw_gid);
        478,482c478
		<
        <       /* Set uid/gid */
        <       setgid (entry->pw_gid);
        <       setuid (entry->pw_uid);
		<
        ---
        >

    3) Don't run gnu finger.