[comp.os.vms] Finger

stansbury%mwvms@MITRE.ARPA (07/21/87)

--------
We are running Finger V41.1.10 here, and I just finished setting up
virtual terminals. However, when I run Finger now, it shows all the virtual
terminals as "<disconnected>" (even those that are not disconnected). Has
this been fixed in a later version of Finger?  I tried recompiling all the
Finger sources and reinstalling it, but that didn't help.  We are running
VMS V4.5.
     
Jack Stansbury
jws@mitre.arpa

hamm@BIOVAX.RUTGERS.EDU (08/29/87)

All this talk about FINGER has made me curious:  What's the latest version
of FINGER people have?  (I assume we're all talking about Richard Garland's
FINGER.)  Also, what other hacks have people added, and to which version?

Respond to me if you don't want to bother the net;  I'll summarize if there's
sufficient response.

Greg
------------------------------------------------------------------------------
Greg H. Hamm                              || Phone:  (201)932-4864
Director, Molecular Biology Computing Lab ||  
Waksman Institute/NJ CABM                 || BITNET: hamm@biovax
P.O. Box 759, Rutgers University          || ARPA:   hamm@biovax.rutgers.edu
Piscataway, NJ 08854 * USA                ||
------------------------------------------------------------------------------

------

EVERHART%ARISIA@rca.COM.UUCP (08/31/87)

I have Finger v 41.1.12. For those who've mentioned the desirable
property of turning off privs except when explicitly needed, anyone
taking the trouble would see that Finger has done this already. The
business about the finger.pln file being able to be misused is arguably
a problem with VMS (though Finger needs to be fixed to get around it)
and Enter. Actually the entire subject of file aliases needs to be better
addressed in VMS somehow; current implementation is DANGEROUS since it
poses risks of unintentional deletion or modification of files which
exist in multiple directories. A nifty utility for system managers would
be something that would allow you to go thru a disk and at least
IDENTIFY which files were aliases of each other. I suppose it'd not
be that hard to just use dir/file_id, followed by a sort/uniq pass,
to accomplish this...
	A compressed saveset of Finger appeared in the Fall '86 VAX
SIG tapes ([vax86d.rcaf86.fingsort...]).
Glenn Everhart

OC.GARLAND@CU20B.COLUMBIA.EDU (Richard Garland) (08/31/87)

I am the author of the version of FINGER that has been mentioned of late,
although I have not worked on it for over 2 years.

The problem indeed exists and I must apologetically take the blame.  The
problem is related to a VMS feature that has long been a source of problems,
both real and conceptual since day one: namely the fact that a directory
entry is not part of the file header, and indeed the whole directory structure
is built on top of the file structure as a separate entity.  This leads to
problems with RENAME, incremental BACKUP, aliases, etc. etc.  This is
particularly severe when the directory has less protection than a file in it.

My feeling on FINGER is to go with Glen Everhardt's fix.  Most systems (such
as TOPS for example) allow the user to set the protection on a file such as
the plan file and that probably should not be overridden by a utility such as
FINGER.

For those who missed Glen's message, just comment out the USEROPEN argument
in the OPEN statements (2 of them).

To fix it the way it is, one would have to get the FIB of the file, then 
read the file header with an ACP QIO and check the file name, ownership, etc.
This is more than I can do and I prefer Glen's solution anyway.

For those who asked, the last version distributed by me was 41.1.10.  I made
a few changes since that but they do not add or change functionality.  It
is also known to work with the newest version of JNET for those who asked.

					Rg
-------

EVERHART%ARISIA@rca.COM.UUCP (10/01/87)

As a result of the security bug found in Finger, I proposed a few weeks
ago a temporary patch to prevent Finger from reading FINGER.PLN with
privilege.
	Since then, Richard Garland has sent me his latest version,
which I have merged with code from several other sources and which
I will place on the next VAX SIG tape. Code I've just tested now checks
the owner UIC of FINGER.PLN against the UIC found in the UAF entry
for an individual being fingered. If the two are equal, Finger uses
privilege to open FINGER.PLN and read it. Otherwise Finger attempts
an open without privilege (in case the file is owned by an identifier
but is nevertheless world readable). Thus, Finger will not display any
file not owned by the individual being fingered, preventing it from being
fooled by directory entries to files owned by others.
	Unfortunately my site is a mail only site, and 400K bytes
or so of code is a lot to mail. I'm willing to send it to a FEW sites
who will then advertise to this list they can redistribute it. Otherwise
wait for the tape, please, or ask someone near you on the GE internal
DECnet (if there is anyone).
	I'd also like a test site for the LAT terminal locating code. I have
no LATs here, but have pasted in some (commented out) code to give LAT
server and port IDs (thanks to some code off the Internet; thanks, folks)
and would like to find a brave soul to try it out (and maybe fix it if
broken...)
	Thanks, all...
	Glenn Everhart
Everhart%Arisia.decnet@ge-crd.arpa