Fw: [Courses] [FS] a socket + finger question

Laura Bowser elwing at elwing.org
Fri Jul 25 07:51:10 EST 2003 

On the security issues of fingerd:

   besides the historical flaw (the famous Morris worm), fingerd is 
network code which accepts input from both users (your .plan file) and 
clients - the finger program.  Coding a secure program is very 
difficult, *especially* when dealing with user/client input. - you 
should *never* trust the client.

specific to this example, a named pipe can be used to "link" to a 
program (as you demonstrated).  it can also be used to point to 
devices.  Devices in user hands are dangerous - and fingerd can be run 
as root, meaning it has total and complete access to the file system.  
As far as I know, it does not drop privileges where appropriate (such 
as OpenSSH does), so it potentially has full, unfettered access to the 
file system.

What would happen if you were to set up the named pipe to cat the 
/etc/passwd or /etc/shadow file?  From the point of view of the sysadm 
- this is a *VERY* bad thing.  You could also set your .plan file to 
symlink to either file.

Because this is generally a Bad Thing (tm), the programmers of fingerd 
have probably checked the status of the file (with fstat(2)), and then 
ignore links, named pipes, directories, and probably everything except 
plain old files.

It's also possible that the fingerd writers made this a compile 
time/run time option for the admin to decide. - I haven't looked at the 
code.

Laura


On Friday, July 25, 2003, at 12:54  AM, Vatsan Madhavan wrote:

> resend to list..
> -v
>
>>> One thing to check.  Is your home directory on a network filesystem,
>>> such as nfs?  If you can access your home directory from many
>>> different machines, it probably is.  Named pipes do not work on most
>>> network filesystems.
>>
>> Yes, it is on a nfs mounted filesystem. I've tested it otherwise, and
> named
>> pipes work fine. Perhaps Laura Bowser's explanation could explain the
>> behaviour. But what security problems could potentially arise ?
>>
>> -Vatsan.
>>
>>
>
>
> _______________________________________________
> Courses mailing list
> Courses at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/courses
>
>

More information about the Courses mailing list