home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.security.misc
- Path: sparky!uunet!munnari.oz.au!manuel!coombs!avalon
- From: avalon@coombs.anu.edu.au (Darren Reed)
- Subject: Re: unhappy about overloading finger
- Message-ID: <avalon.712067691@coombs>
- Lines: 30
- Sender: news@newshost.anu.edu.au
- Organization: Computer Services Centre, Australian National University
- References: <1992Jul24.100650.9235@nntpd.lkg.dec.com> <dag.712016415@ossi.com> <1992Jul25.023851.482@news.iastate.edu>
- Date: 25 Jul 92 12:34:51 GMT
-
- john@iastate.edu (John Hascall) writes:
-
- >dag@ossi.com (Darren Alex Griffiths) writes:
- >}coar@Nephi.Enet.DEC.Com (Rodent of Unusual Size) writes:
- >}> So what's supposed to happen? I'm running a system with standard ULTRIX
- >}> (other than modified FTP), and all this does is a full finger of the
- >}> passwd file of the remote system. Is that the screwup? ...
- >}It's definately a major screwup. This allows the pond scum who try and
- >}break into systems to get a list off all users and then attempt to crack the
- > ...
- >}Instead it should complain about the bogus user not existing.
-
- >I like our fix better, try: finger @@iastate.edu
- >(a bunch of gotta-try-it students doing this on a system with 7000 passwd
- >entries convinced us to fix this in a hurry before system meltdown).
-
- If you have problems with people using "@@", get a fingerd source (or
- write your own :) and include '@' with the white space separators such
- as \t, \n, ' ', etc.
-
- Also stops people doing "finger @host1@host1@host1@host1@host1..." and
- some other similar things.
-
- For systems with large /etc/passwd files there should be a version of
- getpwuid() & getpwnam() which look for information in hashed versions
- on the passwd file (should be regenerated after any vipw or changes
- to the /etc/group file). I'm sure I've seen this implemented somewhere.
-
- darren
-
