[Bug 278827] fingerd(8): Avoid account leakage due to username ambiguity (RFC 1288)
Date: Tue, 07 May 2024 05:37:48 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278827
Bug ID: 278827
Summary: fingerd(8): Avoid account leakage due to username
ambiguity (RFC 1288)
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: bugs@FreeBSD.org
Reporter: john@jmarshall.id.au
Created attachment 250500
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=250500&action=edit
[PATCH] Add -m option to fingerd.c, fingerd.8, inetd.conf
PATCH
-----
The attached patch adds a new option to fingerd(8) in the following files.
Given the -m option, fingerd(8) will pass the -m option to finger(1) to ensure
strict username matching to avoid leaking details of multiple accounts arising
from partial matches on username and GECOS fields. This provides the
RECOMMENDED administrator option mentioned in RFC 1288.
- fingerd.c
- fingerd.8
- inetd.conf
RFC 1288
--------
2.5.3. {U} ambiguity
Allowable "names" in the command line MUST include "user names" or
"login names" as defined by the system. If a name is ambiguous, the
system administrator SHOULD be allowed to choose whether or not all
possible derivations should be returned in some fashion (per section
3.2.6).
STYLE
-----
I wanted to re-work fingerd.8 to re-order and format options as per style(9),
but that same document seems to discourage 'stylistic changes'. I'm happy to do
the work if that's permissible.
SEE ALSO
--------
The patch included with bug #39463 appears to include this functionality but
has been left to rot. I'm hoping that a single-issue patch might get this
through.
--
You are receiving this mail because:
You are the assignee for the bug.