[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Pinky command
From: |
Bob Proulx |
Subject: |
Re: Pinky command |
Date: |
Wed, 11 Nov 2009 18:15:32 -0700 |
User-agent: |
Mutt/1.5.18 (2008-05-17) |
address@hidden wrote:
> In old days, attackers used to create .project symbolic to passwd
> and group files to get the List of login ids and group via
> fingerd.
The list of uids are already public in the /etc/passwd file. That file
is already world readable. Therefore it isn't clear to me how using
another command makes this a vulnerability.
> I guess, Sun had fixed this long back in Solaris. However
> in pinky, I can use symbolic link to /etc/passwd and /etc/group.
Do you have any references on the fix for this attack vector?
> $ cd <--- Go to home dir
> $ ln -s .project /etc/passwd
Obviously that should be switched. :-)
> $ pinky -l mylogin
>
> Pinky follows symlink of .project. I guess, Pinky should avoid .project
> if it is a symlink.
Compare this "attack":
$ ln -s /etc/passwd .project
$ cat .project
To this one:
$ cat /etc/passwd
How is finger/pinky more vulnerable than cat?
Bob