EVERHART%ARISIA@rca.COM ("GLENN EVERHART, 609 486 6328") (08/29/87)
Folks -
The FINGER utility does indeed have a security problem (or maybe it's
VMS allowing set file/enter to files one has no access to). It will
in its normal state read whatever FINGER.PLN is pointed at with privs,
allowing reading protected stuff.
The RIGHT way to fix this is probably something like having
Finger check the owner of the file FINGER.PLN to ensure it's the
individual being fingered. The QUICK but workable fix is to edit
FINGER.FOR as in the following differences file. Basically, you
just remove the "user open = Priv_UserOpen" line from the opens for
Finger.pln and Finger will then NOT have any privs turned on while
trying to read finger.pln. This implies that anyone who wants his
FINGER.PLN file to be seen by others had better make it world readable.
That is not a security breach, really, since that file OUGHT only to
be there to be read by the world. It could mean that some directory
files need to be world execute, though. I'm posting this (having just
installed it and tested it on MY system :-) ) so the Finger utility
can continue to be used for its' intended purposes, which I applaud.
I suggest everyone hurry the heck up and install this version.
Rest assured, it'll be on the next VAX SIG tape too, if I have to put
it there myself. I hope someone will post a better fix before then
however.
Glenn Everhart
************
File ARISIA$DRC0:[003001.FINGER]FINGER.FOR;1
2514 c PlanFile = Directory(1:Btrim(Directory))//PlanFileName1
2515 c Open ( Unit=ScratchUnit,
2516 c 1 File=PlanFile,
2517 c 2 User Open = Priv_UserOpen,
2518 c 2 Status='old',
2519 c 3 Err=201,
2520 c 4 Shared,
2521 c 5 Readonly)
2522 PlanFile = Directory(1:Btrim(Directory))//PlanFileName1
******
File DR2:[FINGER]FINGER.FOR;1
2514 PlanFile = Directory(1:Btrim(Directory))//PlanFileName1
************
************
File ARISIA$DRC0:[003001.FINGER]FINGER.FOR;1
2525 2 Status='old',
******
File DR2:[FINGER]FINGER.FOR;1
2517 2 User Open = Priv_UserOpen,
2518 2 Status='old',
************
************
File ARISIA$DRC0:[003001.FINGER]FINGER.FOR;1
2534 c PlanFile = Directory(1:Btrim(Directory))//PlanFileName2
2535 c Open ( Unit=ScratchUnit,
2536 c 1 File=PlanFile,
2537 c 2 User Open = Priv_UserOpen,
2538 c 2 Status='old',
2539 c 3 Err=202,
2540 c 4 Shared,
2541 c 5 Readonly)
2542 PlanFile = Directory(1:Btrim(Directory))//PlanFileName2
******
File DR2:[FINGER]FINGER.FOR;1
2527 PlanFile = Directory(1:Btrim(Directory))//PlanFileName2
************
************
File ARISIA$DRC0:[003001.FINGER]FINGER.FOR;1
2545 2 Status='old',
******
File DR2:[FINGER]FINGER.FOR;1
2530 2 User Open = Priv_UserOpen,
2531 2 Status='old',
************
Number of difference sections found: 4
Number of difference records found: 18
DIFFERENCES /IGNORE=()/MERGED=1/OUTPUT=ARISIA$DRC0:[003001]FINGER.DIF;1-
ARISIA$DRC0:[003001.FINGER]FINGER.FOR;1-
DR2:[FINGER]FINGER.FOR;1