Re: cfingerd vulnerability

Michael Stone (mstone@ITRI.LOYOLA.EDU)
Sun, 25 May 1997 16:16:39 -0400

Quoting Edward S. Marshall (emarshal@COMMON.NET):
> Also, I've heard various reports of cfingerd having security problems in
> the past. Has anyone considered sitting down with it and doing a complete
> security audit? It's a nice tool to have, but if it's insecure, it
> presents a problem. I'm mainly concerned with buffer overruns and other
> similar problems, since it does require that you run it as root.

There's a patch on sunsite to make cfingerd not run as root; I haven't
tried it myself, so I don't know if it's any good. You might give it a
shot, though...

http://sunsite.unc.edu/pub/Linux/system/network/finger/

Mike Stone