It's possible to make .plan or .project to be named pipes, which means that the act of reading them can cause code to be executed. If finger executes suid root, then said code can execute as root. The potential for mischief should be obvious.
Thus spake Rostislav Vorobyev on Mon, May 22, 2000 at 02:01:00AM CDT > Dear friends, > > Can someone explain me why people are not set 4755 permission on a finger > program? I see good reasons to do that: if a user does not allow to see > his/her ~user tree, finger will display .plan, .project and maybe .pgp -- > depends on finger version -- in any case. Maybe is there the special > reasons do not do that? Security? Else? > > > Thank you in advance, > > Rost > > > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null > -- Lindsay Haisley | "Everything works | PGP public key FMP Computer Services | if you let it" | available at [EMAIL PROTECTED] | (The Roadie) | <http://www.fmp.com/pubkeys> http://www.fmp.com | |