Bugtraq mailing list archives
Re: login can be used to hide from finger under SunOS 4.13u1
From: karl () bagpuss demon co uk (Karl Strickland)
Date: Fri, 2 Jun 1995 22:07:55 +0100 (BST)
I recently noticed that running login (no arguments) once logged in, and providing it with your username and password would hide one from finger requests under SunOS 4.13u1. Has anybody else noticed this, under SunOS, or other unix variants? David Sacerdote
Yep, this has been known for years, and crops up under most UNIX's. If you choose to leave login 6755 and give users access to it, then thats the price you pay. Personally, I recommend removing the suid bit and/or making it non world executable. If people need to switch uid's they can either logout and login again, use su, or telnet localhost or rlogin localhost or whatever. -- ------------------------------------------+----------------------------------- Mailed using ELM on FreeBSD | Karl Strickland PGP 2.3a Public Key Available. | Internet: karl () bagpuss demon co uk |
Current thread:
- Re: [8lgm]-Advisory-17.UNIX.sendmail Mark Graff (Jun 01)
- login can be used to hide from finger under SunOS 4.13u1 David Sacerdote (Jun 01)
- Re: login can be used to hide from finger under SunOS 4.13u1 Casper Dik (Jun 02)
- rlogin can be used to change finger information Bonfield James (Jun 02)
- Cisco IP packet filtering vulnerablility Paul Traina (Jun 01)
- Re: Cisco IP packet filtering vulnerablility Darren Reed (Jun 02)
- lsof 3.29 -- good news and bad Vic Abell (Jun 02)
- Re: rlogin can be used to change finger information Casper Dik (Jun 02)
- Re: login can be used to hide from finger under SunOS 4.13u1 Karl Strickland (Jun 02)
- login can be used to hide from finger under SunOS 4.13u1 David Sacerdote (Jun 01)
- Re: [8lgm]-Advisory-17.UNIX.sendmail Karl Strickland (Jun 01)