Re: Pinky command

bug-coreutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Pinky command

From:	Bob Proulx
Subject:	Re: Pinky command
Date:	Wed, 11 Nov 2009 18:15:32 -0700
User-agent:	Mutt/1.5.18 (2008-05-17)

address@hidden wrote:
> In old days, attackers used to create .project symbolic to passwd
> and group files to get the List of login ids and group via
> fingerd.

The list of uids are already public in the /etc/passwd file.  That file
is already world readable.  Therefore it isn't clear to me how using
another command makes this a vulnerability.

> I guess, Sun had fixed this long back in Solaris. However
> in pinky, I can use symbolic link to /etc/passwd and /etc/group.

Do you have any references on the fix for this attack vector?

> $ cd  <--- Go to home dir 
> $ ln -s .project  /etc/passwd 

Obviously that should be switched. :-)

> $ pinky -l  mylogin 
> 
> Pinky follows symlink of .project. I guess, Pinky should avoid .project
> if it is a symlink. 

Compare this "attack":

  $ ln -s /etc/passwd .project
  $ cat .project

To this one:

  $ cat /etc/passwd

How is finger/pinky more vulnerable than cat?

Bob

[Prev in Thread]

Current Thread

[Next in Thread]

Pinky command, Hemant . Rumde, 2009/11/11
- Re: Pinky command, Bob Proulx <=
  - Re: Pinky command, Erik Auerswald, 2009/11/12
    - Re: Pinky command, Bob Proulx, 2009/11/12
    - RE: Pinky command, Hemant . Rumde, 2009/11/12
    - Re: Pinky command, Bob Proulx, 2009/11/12
    - Re: Pinky command, Alfred M. Szmidt, 2009/11/14
    - Re: Pinky command, Alfred M. Szmidt, 2009/11/12

Prev by Date: Pinky command
Next by Date: Re: Pinky command
Previous by thread: Pinky command
Next by thread: Re: Pinky command
Index(es):
- Date
- Thread