stansbury%mwvms@MITRE.ARPA (07/21/87)
--------
We are running Finger V41.1.10 here, and I just finished setting up
virtual terminals. However, when I run Finger now, it shows all the virtual
terminals as "<disconnected>" (even those that are not disconnected). Has
this been fixed in a later version of Finger? I tried recompiling all the
Finger sources and reinstalling it, but that didn't help. We are running
VMS V4.5.
Jack Stansbury
jws@mitre.arpahamm@BIOVAX.RUTGERS.EDU (08/29/87)
All this talk about FINGER has made me curious: What's the latest version of FINGER people have? (I assume we're all talking about Richard Garland's FINGER.) Also, what other hacks have people added, and to which version? Respond to me if you don't want to bother the net; I'll summarize if there's sufficient response. Greg ------------------------------------------------------------------------------ Greg H. Hamm || Phone: (201)932-4864 Director, Molecular Biology Computing Lab || Waksman Institute/NJ CABM || BITNET: hamm@biovax P.O. Box 759, Rutgers University || ARPA: hamm@biovax.rutgers.edu Piscataway, NJ 08854 * USA || ------------------------------------------------------------------------------ ------
EVERHART%ARISIA@rca.COM.UUCP (08/31/87)
I have Finger v 41.1.12. For those who've mentioned the desirable property of turning off privs except when explicitly needed, anyone taking the trouble would see that Finger has done this already. The business about the finger.pln file being able to be misused is arguably a problem with VMS (though Finger needs to be fixed to get around it) and Enter. Actually the entire subject of file aliases needs to be better addressed in VMS somehow; current implementation is DANGEROUS since it poses risks of unintentional deletion or modification of files which exist in multiple directories. A nifty utility for system managers would be something that would allow you to go thru a disk and at least IDENTIFY which files were aliases of each other. I suppose it'd not be that hard to just use dir/file_id, followed by a sort/uniq pass, to accomplish this... A compressed saveset of Finger appeared in the Fall '86 VAX SIG tapes ([vax86d.rcaf86.fingsort...]). Glenn Everhart
OC.GARLAND@CU20B.COLUMBIA.EDU (Richard Garland) (08/31/87)
I am the author of the version of FINGER that has been mentioned of late, although I have not worked on it for over 2 years. The problem indeed exists and I must apologetically take the blame. The problem is related to a VMS feature that has long been a source of problems, both real and conceptual since day one: namely the fact that a directory entry is not part of the file header, and indeed the whole directory structure is built on top of the file structure as a separate entity. This leads to problems with RENAME, incremental BACKUP, aliases, etc. etc. This is particularly severe when the directory has less protection than a file in it. My feeling on FINGER is to go with Glen Everhardt's fix. Most systems (such as TOPS for example) allow the user to set the protection on a file such as the plan file and that probably should not be overridden by a utility such as FINGER. For those who missed Glen's message, just comment out the USEROPEN argument in the OPEN statements (2 of them). To fix it the way it is, one would have to get the FIB of the file, then read the file header with an ACP QIO and check the file name, ownership, etc. This is more than I can do and I prefer Glen's solution anyway. For those who asked, the last version distributed by me was 41.1.10. I made a few changes since that but they do not add or change functionality. It is also known to work with the newest version of JNET for those who asked. Rg -------
EVERHART%ARISIA@rca.COM.UUCP (10/01/87)
As a result of the security bug found in Finger, I proposed a few weeks ago a temporary patch to prevent Finger from reading FINGER.PLN with privilege. Since then, Richard Garland has sent me his latest version, which I have merged with code from several other sources and which I will place on the next VAX SIG tape. Code I've just tested now checks the owner UIC of FINGER.PLN against the UIC found in the UAF entry for an individual being fingered. If the two are equal, Finger uses privilege to open FINGER.PLN and read it. Otherwise Finger attempts an open without privilege (in case the file is owned by an identifier but is nevertheless world readable). Thus, Finger will not display any file not owned by the individual being fingered, preventing it from being fooled by directory entries to files owned by others. Unfortunately my site is a mail only site, and 400K bytes or so of code is a lot to mail. I'm willing to send it to a FEW sites who will then advertise to this list they can redistribute it. Otherwise wait for the tape, please, or ask someone near you on the GE internal DECnet (if there is anyone). I'd also like a test site for the LAT terminal locating code. I have no LATs here, but have pasted in some (commented out) code to give LAT server and port IDs (thanks to some code off the Internet; thanks, folks) and would like to find a brave soul to try it out (and maybe fix it if broken...) Thanks, all... Glenn Everhart Everhart%Arisia.decnet@ge-crd.arpa