Hello,
[Once I've sent this to -audit, but then was pointed]
[that it wasn't the right list for such a discussion]
Currently, finger(1) reveals user information if the user
has created the ``.nofinger'' file, but his home directory
is unreadable for finger(1).
In the case of local access, it's no problem, since anyone may read
/etc/passwd directly. OTOH, letting remote folks peek at user
information even if the user wants to hide himself is a bad thing.
The issue I'd like to submit to discussion is what way to choose:
a) Add a command-line option to finger(1) and fingerd(8) telling
them not to reveal user information if the user's homedir is
protected.
b) Similar to a), but hide such users by default.
c) Don't bother at all :-)
Personally, I'd prefer b) since it's most secure and seems to break
nothing. Do I overlook any complications?
--
Yar
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
