special files as .plans?

Louis A. Mamakos louie at sayshell.umd.edu
Wed Aug 29 07:46:15 AEST 1990


In article <361 at pacer.UUCP> davidb at Pacer.UUCP (David Barts) writes:
>In article <7391 at star.cs.vu.nl>, maart at cs.vu.nl (Maarten Litmaath) writes:
>> He forgot to deal with normal files.  The real bug is fingerd running as
>> root: root can open any (local) file...  (Think about it!)
>
>And how about a nice symbolic link to /etc/passwd?

It seems that the only way that the .plan file could be a symbolic is if that
user made is such.  He could have just as easily copied /etc/passwd into his
.plan file and saved the trouble of following the symbolic link.

If you can't trust your users from giving away the farm, they you've got
other problems.  You'll likely want to think about shadow password files
under those circumstances.

Fingerd only runs as `root' on brain-damaged operating systems.  Grab
the 4.3BSD inetd (and cron, for that matter) which allow you to
specify the user that the daemons will be run as.  We beat up on DEC
frequently about this (every Ultrix field test), and somehow it seems
impossible to convince them that this is a good idea and a `feature.'

louie



More information about the Comp.unix.wizards mailing list