1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
|
#### ###### ###### ## ## ##### ###### ##### ##### ###### #### ####
## ## ## ## ### ## ## ## ## ## ## ## ## ## ## ## ##
## #### ## ###### ## ### #### ##### ## ## #### ###### ## ##
## ## ## ## ## ### ## ## ## ## ## ## ## ## ## ## ## ##
#### ## ###### ## ## ##### ###### ## ## ##### ## ## ## ## ##
The CFINGERD FAQ version 1.0.0
by Ken Hollis <khollis@bitgate.com>
* This FAQ is provided to give information about the cfingerd daemon
program, and to answer some frequently answered questions. These are
some of the questions I get asked frequently, and some of the questions
I figured I should clear up.
* CFINGERD is a free finger daemon replacement for standard finger daemons
such as GNU Finger, MIT Finger, or KFINGERD. CFINGERD is highly
becoming a respected standard as the finger daemon to use. If you are
unsure about which finger daemon to get, please read over this document
before re-enabling your finger daemon!
--
WHAT IS FINGER?
FINGER is a program that was originally created by MIT to allow another
user information about someone on another machine somewhere else on the
Internet. Finger provides information about who you are, what you do,
when you last logged in, when you last read mail, and many more features.
Unfortunately, however, many sites turn off the finger daemon because
it's a security risk. That's an unfortunate, as the finger program is
very valuable, and very helpful for friends and other users on the
Internet.
WHAT WILL CFINGERD PROVIDE OVER NORMAL FINGER?
CFINGERD is a program that provides a nicely formatted user information
display. CFINGERD was programmed with the idea that SECURITY was the
top issue in any finger program. Many sites will receive a root finger
before they are attacked. With this finger program, you can now turn
off the ability to have root fingered by adding a ".nofinger" file, or
a file that doesn't allow for fingering of that user (or anonymity.)
Aside from being security conscious, CFINGERD also offers a great deal
of other features that normal finger just couldn't provide. Among
these are the ability emulate users with scripts, log any finger
requests either by user or globally, offer custom finger services,
display header and footer advertisements, and a nicely formatted
user display to name a few.
Not only this, but cfingerd allows you to provide fingerable services,
which allows for users outside of your system to find out more information
about things you provide; such as information about your ISP, your rates,
or other things of this nature. CFINGERD's fingerable services also
provide the ability to run scripts to display extra information, such as
a traceroute outside of your area. The possibilities are endless.
Of course, you could get GNU's CFINGERD, which is ten times larger,
harder to configure, and requires more work to do what you could do with
CFINGERD in just five minutes. Read over this FAQ. After you're done,
read the "README" file, and follow the directions.
WHERE CAN I GET CFINGERD?
CFINGERD's main archive is available on ftp.bitgate.com, which can be
downloaded from the /pub/cfingerd directory. You will want to check this
directory on a periodic basis if any announcements are given regarding
program updates. Non-official updates (or BETA versions) are also
available on this site. You may want to check the site once a week or so
to check on new updates. Usually, the betas are in testing, and will
not be given tech support, so be warned.
The alternative is to get CFINGERD from sunsite.unc.edu in the directory
/pub/Linux/system/Network/finger. This is the main upload site for any
updates after they become official.
HOW DO I INSTALL CFINGERD ONCE I GET IT?
The answer is simple. Simply type "Configure" and answer the questions
the configuration script prompts you for. Once that's done, simply
edit the necessary files, or type "make all" and you will be on your way
to a complete install of cfingerd. You will also need to add a line to
inetd.conf (or at least change one.) Those instructions are in the
included "README" file with the standard distribution.
WHAT OPERATING SYSTEMS ARE COMPATIBLE WITH CFINGERD?
Currently, only Linux and BSD are supported. If you have an operating
system other than those mentioned, and know enough about C to provide a
patch, my E-Mail door is always open. :)
IS THERE A MAILING LIST FOR UPDATES?
Yes. If you wish to join the cfingerd mailing list, simply send a
message to "cfingerd-list-request@bitgate.com", with the word
"SUBSCRIBE" in the subject of the message. New upgrades and releases
will be announced as they become available.
I HAVE A PATCH - HOW DO I SUBMIT THE PATCH FOR APPROVAL?
Most E-Mail I receive for patches are added without even blinking an eye.
If you have a patch, please just E-Mail the source to me, and I'll add it.
You can also mail the patch to the mailing list, if you're on it.
WHAT ABOUT A WEB PAGE?
Unfortunately, cfingerd no longer has a web page. Everything you need
to know about it is in here, anyway.
--
Commonly asked questions:
Q. WHY DOES THIS PROGRAM RUN AS ROOT???
A. Although it may not make sense to you at first glance, the daemon runs as
root for many security reasons. First off, the cfingerd.conf file itself
should be root read-only, so other users can't see how you have cfingerd
set up. Secondly, in order for cfingerd to change to the User ID and
Group ID of the user someone fingered, it must run as root. If you run
it as nobody, and finger someone with their home directory of mode 700,
you will NOT be able to read the .plan or .project files, REGARDLESS.
Don't worry, though. The Configure script locates your nobody UID/GID
automatically, and uses this whenever it performs most of its work. It
also executes programs as nobody to ensure total security.
Also, keep in mind that all of the UID/GIDs get changed to the NOBODY
UID/GID *immediately* after file opens, executions of programs, or
whatever else. NO PROGRAMS ARE STARTED OR READ AS ROOT!
""""""""""""""""""""""""""""""""""""""""
Q. I've seen a patch laying around known as "cfingerd-1.3.0-noroot".
Should I use this instead of this version?
A. You can if you want, I'm not stopping you. :) Actually, the reason
this file was released was because the security holes in cfingerd were
not completely removed. (No program is perfect; take sendmail's
security holes for instance.) Since version 1.3.1 has been out, no
more security holes of any kind have been reported dealing with the
fact that CFINGERD runs as root.
Q. Do you need to have cfingerd run with tcpd?
A. No. RFC1413 (Host identification) has been put into cfingerd as an
accepted standard. RFC1413 not only provides security for your system,
but it also identifies who's accessing your system at a given time.
Since rfc1413 support is internal, there's no reason to run the tcpd
wrapper around the program. Think of it as an extra security measure.
Q. When someone fingers my machine, it loops around and keeps spawning finger
processes on my machine! Help!
A. The reason this is happening is most likely because you have a finger
forward that forwards to another system which is pointing back to your
own originating system. This will cause an endless loop. CFINGERD
will fix this in a later revision (hopefully.)
Another cause could be that you've got multiple finger list sites that
are pointing to each other. For instance, you set up one finger site
on one system, and another on one other computer. On computer "A", it
points to "foo.com", and "foo.com" points to "bleah.com". Well, since
computer "A" is bleah.com, it will keep looping and looping, and looping.
The way to stop this is to set system_list_sites to one entry, and make
that entry "localhost".
There are many solutions to this problem. The best one that comes to
mind may be the fact that you have ALLOW_FINGER_FORWARDING turned on,
and no entries in the finger_forward listing of hosts. Having an
entry of localhost alone in this section will make the processes spawn
over-and-over again.
Q. When a site fingers my system, I get a syslog entry that says
"unknown@alarm.signal".
A. This simply means that the site that fingered your system failed to
respond to an RFC1413 client query, and thusly timed out, returning
a standard unknown response.
Q. When someone fingers my system, I get "illegal character in username".
A. Your finger program may be sending a "-L" or a "/W" command when fingering
the system. cfingerd does not support the long formatted display of
normal GNU finger. This is not an RFC standard, anyway. The way to
remedy this is to either remove the alias to "finger -l" or to get a new
finger program altogether.
Q. My header files aren't being displayed properly. cfingerd's not
intercepting the commands.
A. Try adding the line "+ALLOW_LINE_PARSING" to your internal_config
section. That usually helps.
Q. The no-name banner isn't showing, and I have it set to true!
A. Make sure system_list is set to FALSE for remote systems. If it's not,
the SYSTEM_LIST variable (if set to true) will override the
NO_NAME_BANNER option.
Q. I have a big site, and I'm trying to list users that are on that site!
It's not working, and I'm sure I've set it up correctly!
A. Make sure that "+ALLOW_USERLIST_ONLY" is set in the internal_config
section. Also, make sure that "localhost" is the last entry in the
system_list_sites configuration section. If it's placed anywhere else
in that section, it will stop at that entry. "localhost" is considered
to be the ending entry.
Q. When I finger someone on the system, it says "This daemon must be run as
root!"
A. The way to fix this is to change the inetd.conf entry from "daemon" to
"root" permissions. This can be done by using the following entry in
your inetd.conf file:
finger stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.cfingerd
Save that, then reboot your inetd program. (This can be done by typing
"killall -HUP inetd"). Then, finger away!
Q. If I have a bug, what do I do?
A. I've received messages that simply have the entry "SIGSEGV Received!"
and nothing else was sent. If you expect to get a helping hand, please
at least send your cfingerd.conf file. I've had lots of people
modifying the cfingerd.conf file, adding spaces here and there, or
tabs here and there. DO NOT change the format, only the ASCII chars.
DO NOT SUBSTITUTE SPACES FOR TABS. If all else fails, re-copy the
original cfingerd.conf file into your /etc directory. Chances are,
something got messed up during the modification.
Q. I see ".fingerlog (Operation not permitted)" in my syslog! What now?
A. Most likely, you were running an older version of cfingerd that had
root access to that file. The new cfingerd is trying to change that
file, and doesn't have access to it. To fix this, type:
"chown user.group .fingerlog", and all will be well.
--
Ken Hollis <khollis@bitgate.com>
Bitgate Software
|
