On a Solaris 8, i386 machine, I did the following:
$ ls -al
drwxr-xr-x 4 j other 512 May 28, 14:12 .
drwxr-xr-x 5 root root 512 May 28, 14:10 ..
lrwxrwxrwx 1 j other 6 May 28, 14:12 .plan -> myplan
-rw------- 1 nobody nobody 17 May 28, 14:12 myplan
$ finger -l j@localhost
[localhost]
Login name: j
Directory name: /export/home/j Shell: /bin/sh
Last login Mon May 28, 14:12 on console from :0
No unread mail.
No plan.
After I changed the mod of myplan to world-readable, finger gave me
$ finger -l j@localhost
[localhost]
Login name: j
Directory name: /export/home/j Shell: /bin/sh
Last login Mon May 28, 14:12 on console from :0
No unread mail.
Plan:
This is my plan.
So I'd say in.fingerd is not vulnerable for the symlink attack you
describe.
J. Bol
Lukasz Luzar wrote:
> Hello,
>
> Ok, the example wasn't good.
> It was a long day for me, thus, please forgive me that slip-up.
>
> The sym-links attack is very useful when you want to read
> files that are readable only by unprivileged user.
>
> On example, many httpd servers works with the same privilages,
> it means that you can read any CGI temporary file, and other
> files readable only by CGI scripts.
>
> I think about a case where a CGI script saves some important
> information in a temporary file, like PHP do with the sessions:
>
> -rw------- 1 nobody nobody 329 May 14 12:16 /tmp/sess_0cd156a633
>
> When you have installed in.fingerd, and the in.fingerd is vulnerable,
> all local users are able to read the information from the files.
>
> There are few other examples.
>
> --
> Lukasz Luzar
> http://Developers.of.PL/
> Crede quod habes, et habes
