Finger Pointing

SYSADMIN Admin-Workshop: Finger Server

Part 2: Setting up and Using the Finger Server Finger Pointing The finger service can be used to let other people know about your activities and appointments, without having to launch a complex groupware applica- tion.The protocol is amazingly simply – and that is one reason why we will be using finger as our entrée into the world of Server administration.

BY MARC ANDRÉ SELIG

lexible working hours can be a pain files. A daemon processes the requests could be exploited via this type of mech- sometimes. You end up talking to and supplies information on those users. anism.” Fan answer phone while a colleague If you want to use this service to pub- Of course many developers and ad- is still enjoying breakfast, or has already lish information about yourself, you mins simply ignore this warning today, gone home. Some people simply pin create a file called .plan or .project in keeping their Apaches with Mod_perl their schedules to their office doors, your home directory. The main differ- and Mod_php, and solemnly swearing to which is quite useful, unless your office ence is that a .project file traditionally apply the appropriate security patches, happens to be in a completely different consists of a single line, whereas a .plan when they get round to it. part of your office building. There is a lot file provides you with more scope. The The finger daemon adds system data to be said for groupware products if you .plan file is where you would store calen- to the information posted by a user, such need to organize a meeting and co-ordi- dar data or a PGP public key. as the shell, the last login time, or even nate schedules for a group of colleagues. information on unread mail. Listing 1 Although this might surprise some Security and the Finger shows the results of a sample query fin- people, Outlook and co. were not the Service ger Selig@localhost on my own host. first groupware products on the scene – Chapter 3 of RFC 1288 provides an usual The daemon parses /etc/passwd for in fact, the finger protocol was originally amount of detail on security aspects, the username. This is where it retrieves specified way back in 1977 [1]. Of especially considering the fact that the the full name, and the user’s room and course, modern groupware applications document is over ten years old (Decem- phone numbers. These three snippets of offer a lot more, but in many cases finger ber 1991). Some of the more interesting information are stored in the so-called is quite adequate. In addition, it tells you sections are still applicable to more mod- GECOS field. GECOS is the acronym a lot about the typical Unix philosophy. ern forms of networks, such as dynamic for General Electric Comprehensive websites or web services. Operating System, which was a fairly How Finger Works When they receive a request, some fin- widespread operating system around Finger’s basic design is wonderfully sim- ger servers call a user configurable 1970. Although GECOS is insignificant in ple, you might even say primitive – and external program. The RFC says: “Im- retrospect, this field with its “human” thus, a perfect example of a client/server plementing this feature may be more data migrated from GECOS to Unix and service. Users on a system store informa- trouble than it is worth, since there are retains the name to indicate its parent- tion about themselves in simple text always bugs in operating systems, which age. If you want to change this information, you should call chfn (change fin- Listing 1: Finger request ger), rather than editing the /etc/passwd 01 Login: mas Name: Marc 07 Project: file directly. Andre Selig 08 I'm busy with an article for 02 Directory: /home/mas Shell: Linux Magazine at present. Stop finger pointing /bin/bash 09 Plan: Finger allows end-users either to encour- 03 On since Mon Sep 8 11:20 10 This age other users to point (the finger (CEST) on pts/0 from :0 11 is daemon) at them, or to prevent finger 04 50 seconds idle 12 my access. You can create a file called .nofin- 05 On since Mon Sep 8 16:49 13 .plan ger in your home directory to reject the (CEST) on pts/1 from :0 14 it can contain more than just BSD daemon typical to so many Linux 06 No mail. one line. systems without any qualms. You can also prevent finger activity more or less

56 December 2003 www.linux-magazine.com Admin-Workshop: Finger Server SYSADMIN

accidentally by assigning incorrect file permissions. .plan and .project need to Listing 2: The finger daemon in inetd be globally readable, and the daemon finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd expects at least look-up privileges for your home directory (chmod 711 ~ and chmod 644 ~/.plan). #, at the start of the line. You can simply The third column in /etc/inetd.conf delete the hash sign to enable the server. describes the protocol. This column typi- The Daemon inetd.conf reads like a table where cally contains either tcp for TCP/IP The finger server is included with most each line represents a specific service (connection oriented) and udp for distributions, but not installed by de- that the Internet super-server enables. UDP/IP (connectionless). This would fault. In this case, you will need to add The individual columns provide more seem to make the column redundant at the finger and finger-server packages. If detail about the service. first glance – but this is not true. Remem- you are having trouble finding the pack- ber that TCP/IP is not the only protocol age, you can search for bsd-finger to Protocol Issues family. Just like the service name, the locate the sourcecode. The first column in the line contains the entry in the third column is again a sym- Installing the server will not tell it name of the service. It is important to bol that Linux will translate into a to launch automatically. Linux distin- inetd that this name uniquely identifies number, by referring to the /etc/protocols guishes between two different categories the IP port. The operating system looks file. of server. One of them runs continuously in /etc/services to discover the port as a process, can react immediately to assigned to the symbolic name. To Wait or Not to Wait? incoming connections and assign re- The second column contains the The fourth column tells inetd to wait for sources independently as required. But socket type: stream indicates a connec- the current instance of the server pro- finger belongs to the other category. tion-oriented service; dgram (datagram) gram to terminate (wait), or not to wait When required, the daemon is launched a connectionless service. Connection ori- (nowait). In the latter case, inetd imme- by a central script called inetd (the so- ented services use a datastream to diately launches a new server process, called Internet super-server) or xinetd, exchange data and expect the protocol to when it receives a request for the allowing it to respond to current provide a reliable transport service. Con- service. requests. nectionless services simply transmit This may seem superfluous at first The latter method has its advantages. individual packets that may go astray or glance, but it is an important decision. Servers are more simple to program, arrive in the wrong order. The entry for the finger service is more stable (as an instance is run for To illustrate the difference you might nowait. In other words, when inetd each new request), and do not use any like to compare a phone call with a post- receives a request, it launches a finger resources while inactive. card. In the case of a phone call, the server. The server returns a response and You can check the /etc/inetd.conf caller expects the conversation to be terminates. If inetd receives a second or /etc/xinetd.d/* files to find out transmitted without any omissions or request, while the first request is being whether your distribution uses the tradi- errors. In contrast to this, when you mail processed, it immediately calls a second tional inetd or the more modern xinetd a postcard, you simply drop it in the instance of the finger server, which then approach. The finger entry in /etc/ mailbox and hope that it will arrive some handles the request. inetd.conf (see Listing 2) is often pre- time. And you are not really surprised if This would be different for a connec- configured, but disabled by the hash sign it does go astray. tionless service. In this case, inetd cannot know whether an incoming Too much of a good thing? packet belongs to the original request, or Even if you get the configuration right,and Finger also tells you when system adminis- if it should launch a second instance of everything works perfectly,finger can still trators are asleep or on vacation,and thus the server. Connectionless services typi- provide a potential attacker with a lot of unable to respond to attacks. Finger may cally expect a wait entry in this column. information about your network, the com- even show you the fill or stock levels of net- The fifth column of inetd.conf contains puters on the network, their function,and work attached coffee machines,or coke and the name of the Unix user account that the social networks within your enterprise. confectionery vending machines.This in turn inetd will run the service as. The super- Who works when? On what? And with tells you a lot about the staff’s attitude to daemon does not automatically launch whom? Which computers do not have any work. each server as root; instead you can user accounts? All of this information can be obtained by specify the privileges assigned to the Servers are typically well secured. A machine other means,but it would mean the attacker with a whole bunch of user accounts is just putting more effort into footprinting.This is server program. looking to be attacked. Machines with the official reason for most sites doing with- Column six contains the path to the masses of shells often reveal unexpected out finger today.However, the universal use server executable. Any following fields security holes,although they may be of web servers certainly plays an important contain command line arguments for the allowed quite generous access to a company role in this area – often with far more serious server, where the first argument (argu- network. consequences than a straightforward tool ment number zero) repeats the name of like finger. the program.

www.linux-magazine.com December 2003 57 SYSADMIN Admin-Workshop: Finger Server

If your distribution uses useful for firewalls. This xinetd, it should have a type of request uses the minimal configuration file User@Hostname format. for finger /etc/xinetd.d/fin- The technique even works ger (see Listing 3). There across multiple finger ser- are no major differences in vers. You can use an @ the actual content, although sign to separate any addi- inexperienced users will tional hostnames in the probably prefer the en- request. hanced readability of this Each finger command format. line ends with CRLF (Car- Any changes made to riage Return plus Line /etc/inetd.conf or /etc/ Feed), which is typical of a xinetd.d typically apply TCP connection. Although after re-starting the super- Unix and Linux use a sim- server. You can kill -HUP ple Line Feed to separate processID to parse and newlines, nearly every TCP apply its new configuration based protocol uses CRLF. at runtime. The idea is to allow systems with different The Finger Protocol architectures to talk to each You do not need a protocol other, such as Windows analyzer to watch finger at computer, which use CRLF work on a network, in fact, natively to keep things sim- you do not even need a fin- Figure 1: If you want to add a finger request to your homepage, you can use a Web ple, or Apple Macintosh ger client. Instead, you can interface to do so. As the protocol is extremely simple, it does not take long to machines that only use CR simply direct finger to the develop a front-end as a newline character. server using a simple Telnet The end-of-line character client. If you prefer to read the specifica- telnet localhost 79 is referred to by various names in man- tion, check out RFC 1288 [2] for the pages and many how-tos. As you can current version. The Telnet client will then output three type a Line Feed by pressing [Control]+J The server runs on port 79, just one lines of data: by default, you may see references to ^J. below the HTTP port, 80. It uses a con- C and related languages use \n. Newline nection oriented protocol, TCP/IP, for Trying 127.0.0.1... is shown hex 0x0a, or decimal 10, in transmissions, but not UDP/IP, which is Connected to localhost. ASCII code. Carriage Return is referred to used by connectionless services, such as Escape character is '^]'. variously as ^M and \r, hex 0x0d, or dec- DNS, NTP, or Syslog. To use finger, you imal 13. will need to lift any firewall or packet fil- Telnet has opened up a connection to ter restrictions for port 79. You can easily 127.0.0.1 (that is localhost). The Escape Finger without Fear check the availability of the server by character is for the Telnet client. The Before you actually run a finger server typing netstat -tan | grep :79 – this daemon is now waiting for individual on your network, make sure that you should produce at least one line of out- instructions. Try typing mas. The server read the “Security and the Finger Ser- put indicating that the TCP service on will interpret this search key both as a vice” insert. If you are familiar with port 79 is in the LISTEN state. Linux username and as a full name. Any finger, you will know that you really Type the following command to talk to matches for these variants are returned have nothing to fear – finger has a lot of the daemon: across the open TCP connection (see good points. ■ Listing 1), which the daemon then Listing 3: The finger closes. INFO daemon in xinetd Is anyone there? [1] RFC 742, the original protocol specifica- service finger tion from 1977: If you simply press [Return], rather { http://www.ietf.org/rfc/rfc742.txt than typing an entry in the command socket_type = stream [2] RFC 1288, the current version of the finger line, the finger daemon will return a list wait = no protocol specs: of logged on users. Recursive requests user = nobody http://www.ietf.org/rfc/rfc1288.txt are also permissible. A recursive request server = /usr/sbin/in.fingerd [3] Linux manpages as additional reference will tell the finger server to connect to disable = no material for this article:finger(1),in.fin- another finger server, and retrieve the } gerd(8),chfn(1) and ascii(7). requested data from that server. This is

58 December 2003 www.linux-magazine.com