There is a bug in the `lib/site/userinfo.c' module of GNU finger version 1.37 allowing any user on a system to execute arbitrary commands with gid root from ~/.fingerrc. The problem is that GNU finger *first* changes its userid thus giving away root privileges and *then* tries to change its gid which will not succeed. Greetings, Thomas *** userinfo.c.orig Fri Mar 17 12:12:28 1995 --- userinfo.c Fri Mar 17 12:12:37 1995 *************** *** 241,262 **** dup (fileno (*streamp)); } if (fileno (*streamp) != 2) { close (2); dup (fileno (*streamp)); } /* Set uid/gid */ - setuid (user->pw_uid); setgid (user->pw_gid); /* Set default directory */ chdir (user->pw_dir); /* Run ~/.fingerrc through user shell */ #ifdef FINGERRC_SHELL execlp (FINGERRC_SHELL, FINGERRC_SHELL, "-c", file, NULL); #else execlp (user->pw_shell, user->pw_shell, "-c", file, NULL); #endif --- 241,262 ---- dup (fileno (*streamp)); } if (fileno (*streamp) != 2) { close (2); dup (fileno (*streamp)); } /* Set uid/gid */ setgid (user->pw_gid); + setuid (user->pw_uid); /* Set default directory */ chdir (user->pw_dir); /* Run ~/.fingerrc through user shell */ #ifdef FINGERRC_SHELL execlp (FINGERRC_SHELL, FINGERRC_SHELL, "-c", file, NULL); #else execlp (user->pw_shell, user->pw_shell, "-c", file, NULL); #endif -- roessler@rhein.iam.uni-bonn.de * roessler@sobolev.cologne.de MURPHY'S LAW: If anything can go wrong, it will.