Bugtraq mailing list archives
Re: in.fingerd follows sym-links on Solaris 8
From: Darren Moffat <Darren.Moffat () eng sun com>
Date: Fri, 25 May 2001 12:54:33 -0700 (PDT)
Ok, the example wasn't good. It was a long day for me, thus, please forgive me that slip-up.
This is certainly a much better example, but:
On example, many httpd servers works with the same privilages, it means that you can read any CGI temporary file, and other files readable only by CGI scripts.
httpd servers shouldn't be running as user nobody they should be running as user www or something similar.
I think about a case where a CGI script saves some important information in a temporary file, like PHP do with the sessions: -rw------- 1 nobody nobody 329 May 14 12:16 /tmp/sess_0cd156a633
The bug is in one of PHP/CGI/httpd NOT in in.fingerd. nobody has a very special meaning, it is the user id that root gets mapped to over NFS. It was created for that reason and that reason alone, it is NOT a general purpose account to run daemons or cgi or anything else under. If applications need to run as a user other than root then they should have a user for that application, eg Oracle DB server runs as the user oracle. in.fingerd is a special case and it is running as nobody explicitly because there should be no sensitive files that are owned by the nobody user. If you have a system where there are local files that are owned by nobody then you have a configuration error or a bug in another application but it isn't in.fingerd's problem. -- Darren J Moffat
Current thread:
- in.fingerd follows sym-links on Solaris 8 Lukasz Luzar (May 24)
- Re: in.fingerd follows sym-links on Solaris 8 Lyndon Nerenberg (May 24)
- <Possible follow-ups>
- Re: in.fingerd follows sym-links on Solaris 8 Matthew R. Potter (May 24)
- Re: in.fingerd follows sym-links on Solaris 8 Lukasz Luzar (May 25)
- Re: in.fingerd follows sym-links on Solaris 8 J. Bol (May 28)
- Re: in.fingerd follows sym-links on Solaris 8 Joep Vesseur (May 28)
- Re: in.fingerd follows sym-links on Solaris 8 Darren Moffat (May 28)