William H. Magill on Thu, 15 Jun 2000 13:15:51 -0400 (EDT)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] .plan files

>   You're assuming that the port isn't being filtered out on a router
>   somewhere ... I'm not familiar with @Home's security practices.
>   Also, your home directory will probably need world executable for the
>   .plan file to be available to everyone ... and last, but not least, I
>   would have to say I don't use a .plan file ... they're archaic.  :^)
>   I found something in a security session rather amusing - when you set
>   your sendmail config so that is doesn't allow VRFY or EXPN, the user
>   who sees the error response is instructed to 'maybe try finger.'  As
>   finger is more likely to be turned off than the VRFY/EXPN, I had to 
>   chuckle quietly.  :^)
That message has always fascinated me also. Some day I'll remember to tell
Eric how stupid it is.
>   On Wed, 14 Jun 2000, Tracy Nelson wrote:
>   > I think for security reasons most sites don't have the finger daemon
>   > (fingerd) running.  Make sure this is running and that your finger port
>   > isn't disabled and then finger yourself@yoursite and see.
>   > 
>   > -----Original Message-----
>   > From: Michael Whitman <mwhitman@home.com>
>   > To: plug@lists.nothinbut.net <plug@lists.nothinbut.net>
>   > Date: Wednesday, June 14, 2000 07:28
>   > Subject: [PLUG] .plan files
>   > 
>   > |I want to be cool like those game developers and have a .plan file that can
>   > |be fingered from outside.  Right now the .plan is something i can only
>   > |finger see when I am logged in under my account.  i have tried changing
>   > file
>   > |permissions, but to no avail.  i cant find any help files on this subject.
>   > |Any suggestions or links?  Do people still use .plan files or is this
>   > |archaic?

Actually, the problem with finger is much more insidious than simple
security.  Historically, there were two finger programs - "finger," which
looked only at users on your host and "netfinger" which looked at other
hosts on the net. These eventually got combined into one "client" program,
finger, but depending upon the version of Unix, there were still two
different daemons. (Talk was/is another similar program, and is where AOL
stole the idea of "instant messaging.")

The security issue is actually quite real -- if you have only two things to
control access -- a userid and password-- and you publish the userids, that
means that you have only one thing to control access -- the password. So
it's a given that publishing the userids on your system is not a good idea.

Finger, not only allowed you to "finger user@host", but also to "finger @host"
and get a listing of all the folks currently logged in (like "w" or "who").
So most sites simply disable the external access to the finger daemon.
And there are as many ways to do that as there are people doing it.
This is why virtually everyone running a Timesharing server disables

Now back to the insidious part.... Finger works by scanning the
/etc/password file sequentially. (It's an old brain dead piece of code.)
On a small system this is not a big deal. But on a large system with
several thousand users this can actually take several seconds of CPU time,
which might take many seconds of wall clock time to accumulate. And while
this scanning is taking place -- /etc/passwd is locked open by finger!!!
Can you say denial of service attack. And this is true for both on and off
host queries. 

That I know of, no vendor has ever implemented a "solution" to this problem.
So everybody just turns off finger. Some Academic sites have
implemented GNU Finger, which addresses this problem with a separate

There are also issues around clustered machines which GNU finger solves,
"finger" is simply "<host> centric."

William H. Magill                          Senior Systems Administrator
Information Services and Computing (ISC)   University of Pennsylvania
Internet: magill@isc.upenn.edu             magill@acm.org

Philadelphia Linux Users Group       -       http://plug.nothinbut.net
Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce
General Discussion   -   http://lists.nothinbut.net/mail/listinfo/plug