Finger Pointing
Total Page:16
File Type:pdf, Size:1020Kb
SYSADMIN Admin-Workshop: Finger Server Part 2: Setting up and Using the Finger Server Finger Pointing The finger service can be used to let other people know about your activities and appointments, without having to launch a complex groupware applica- tion.The protocol is amazingly simply – and that is one reason why we will be using finger as our entrée into the world of Server administration. BY MARC ANDRÉ SELIG lexible working hours can be a pain files. A daemon processes the requests could be exploited via this type of mech- sometimes. You end up talking to and supplies information on those users. anism.” Fan answer phone while a colleague If you want to use this service to pub- Of course many developers and ad- is still enjoying breakfast, or has already lish information about yourself, you mins simply ignore this warning today, gone home. Some people simply pin create a file called .plan or .project in keeping their Apaches with Mod_perl their schedules to their office doors, your home directory. The main differ- and Mod_php, and solemnly swearing to which is quite useful, unless your office ence is that a .project file traditionally apply the appropriate security patches, happens to be in a completely different consists of a single line, whereas a .plan when they get round to it. part of your office building. There is a lot file provides you with more scope. The The finger daemon adds system data to be said for groupware products if you .plan file is where you would store calen- to the information posted by a user, such need to organize a meeting and co-ordi- dar data or a PGP public key. as the shell, the last login time, or even nate schedules for a group of colleagues. information on unread mail. Listing 1 Although this might surprise some Security and the Finger shows the results of a sample query fin- people, Outlook and co. were not the Service ger Selig@localhost on my own host. first groupware products on the scene – Chapter 3 of RFC 1288 provides an usual The daemon parses /etc/passwd for in fact, the finger protocol was originally amount of detail on security aspects, the username. This is where it retrieves specified way back in 1977 [1]. Of especially considering the fact that the the full name, and the user’s room and course, modern groupware applications document is over ten years old (Decem- phone numbers. These three snippets of offer a lot more, but in many cases finger ber 1991). Some of the more interesting information are stored in the so-called is quite adequate. In addition, it tells you sections are still applicable to more mod- GECOS field. GECOS is the acronym a lot about the typical Unix philosophy. ern forms of networks, such as dynamic for General Electric Comprehensive websites or web services. Operating System, which was a fairly How Finger Works When they receive a request, some fin- widespread operating system around Finger’s basic design is wonderfully sim- ger servers call a user configurable 1970. Although GECOS is insignificant in ple, you might even say primitive – and external program. The RFC says: “Im- retrospect, this field with its “human” thus, a perfect example of a client/server plementing this feature may be more data migrated from GECOS to Unix and service. Users on a system store informa- trouble than it is worth, since there are retains the name to indicate its parent- tion about themselves in simple text always bugs in operating systems, which age. If you want to change this infor- mation, you should call chfn (change fin- Listing 1: Finger request ger), rather than editing the /etc/passwd 01 Login: mas Name: Marc 07 Project: file directly. Andre Selig 08 I'm busy with an article for 02 Directory: /home/mas Shell: Linux Magazine at present. Stop finger pointing /bin/bash 09 Plan: Finger allows end-users either to encour- 03 On since Mon Sep 8 11:20 10 This age other users to point (the finger (CEST) on pts/0 from :0 11 is daemon) at them, or to prevent finger 04 50 seconds idle 12 my access. You can create a file called .nofin- 05 On since Mon Sep 8 16:49 13 .plan ger in your home directory to reject the (CEST) on pts/1 from :0 14 it can contain more than just BSD daemon typical to so many Linux 06 No mail. one line. systems without any qualms. You can also prevent finger activity more or less 56 December 2003 www.linux-magazine.com Admin-Workshop: Finger Server SYSADMIN accidentally by assigning incorrect file permissions. .plan and .project need to Listing 2: The finger daemon in inetd be globally readable, and the daemon finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd expects at least look-up privileges for your home directory (chmod 711 ~ and chmod 644 ~/.plan). #, at the start of the line. You can simply The third column in /etc/inetd.conf delete the hash sign to enable the server. describes the protocol. This column typi- The Daemon inetd.conf reads like a table where cally contains either tcp for TCP/IP The finger server is included with most each line represents a specific service (connection oriented) and udp for distributions, but not installed by de- that the Internet super-server enables. UDP/IP (connectionless). This would fault. In this case, you will need to add The individual columns provide more seem to make the column redundant at the finger and finger-server packages. If detail about the service. first glance – but this is not true. Remem- you are having trouble finding the pack- ber that TCP/IP is not the only protocol age, you can search for bsd-finger to Protocol Issues family. Just like the service name, the locate the sourcecode. The first column in the line contains the entry in the third column is again a sym- Installing the server will not tell it name of the service. It is important to bol that Linux will translate into a to launch automatically. Linux distin- inetd that this name uniquely identifies number, by referring to the /etc/protocols guishes between two different categories the IP port. The operating system looks file. of server. One of them runs continuously in /etc/services to discover the port as a process, can react immediately to assigned to the symbolic name. To Wait or Not to Wait? incoming connections and assign re- The second column contains the The fourth column tells inetd to wait for sources independently as required. But socket type: stream indicates a connec- the current instance of the server pro- finger belongs to the other category. tion-oriented service; dgram (datagram) gram to terminate (wait), or not to wait When required, the daemon is launched a connectionless service. Connection ori- (nowait). In the latter case, inetd imme- by a central script called inetd (the so- ented services use a datastream to diately launches a new server process, called Internet super-server) or xinetd, exchange data and expect the protocol to when it receives a request for the allowing it to respond to current provide a reliable transport service. Con- service. requests. nectionless services simply transmit This may seem superfluous at first The latter method has its advantages. individual packets that may go astray or glance, but it is an important decision. Servers are more simple to program, arrive in the wrong order. The entry for the finger service is more stable (as an instance is run for To illustrate the difference you might nowait. In other words, when inetd each new request), and do not use any like to compare a phone call with a post- receives a request, it launches a finger resources while inactive. card. In the case of a phone call, the server. The server returns a response and You can check the /etc/inetd.conf caller expects the conversation to be terminates. If inetd receives a second or /etc/xinetd.d/* files to find out transmitted without any omissions or request, while the first request is being whether your distribution uses the tradi- errors. In contrast to this, when you mail processed, it immediately calls a second tional inetd or the more modern xinetd a postcard, you simply drop it in the instance of the finger server, which then approach. The finger entry in /etc/ mailbox and hope that it will arrive some handles the request. inetd.conf (see Listing 2) is often pre- time. And you are not really surprised if This would be different for a connec- configured, but disabled by the hash sign it does go astray. tionless service. In this case, inetd cannot know whether an incoming Too much of a good thing? packet belongs to the original request, or Even if you get the configuration right,and Finger also tells you when system adminis- if it should launch a second instance of everything works perfectly,finger can still trators are asleep or on vacation,and thus the server. Connectionless services typi- provide a potential attacker with a lot of unable to respond to attacks. Finger may cally expect a wait entry in this column. information about your network, the com- even show you the fill or stock levels of net- The fifth column of inetd.conf contains puters on the network, their function,and work attached coffee machines,or coke and the name of the Unix user account that the social networks within your enterprise. confectionery vending machines.This in turn inetd will run the service as.