From vince@pele.WURLDLINK.NET Sun Oct 31 11:49:50 1999
Return-Path: <vince@pele.WURLDLINK.NET>
Received: from pele.WURLDLINK.NET (pele.WURLDLINK.NET [208.164.68.2])
	by hub.freebsd.org (Postfix) with ESMTP id C517914A1B
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 31 Oct 1999 11:49:49 -0800 (PST)
	(envelope-from vince@pele.WURLDLINK.NET)
Received: (from root@localhost)
	by pele.WURLDLINK.NET (8.9.3/8.9.3) id JAA22469;
	Sun, 31 Oct 1999 09:50:08 -1000 (HST)
	(envelope-from vince)
Message-Id: <199910311950.JAA22469@pele.WURLDLINK.NET>
Date: Sun, 31 Oct 1999 09:50:08 -1000 (HST)
From: Vincent Poy <vince@pele.WURLDLINK.NET>
Reply-To: vince@pele.WURLDLINK.NET
To: FreeBSD-gnats-submit@freebsd.org
Subject: pidentd doesn't work correctly as root under -CURRENT,3.3-RELEASE,3.3-STABLE
X-Send-Pr-Version: 3.2

>Number:         14625
>Category:       ports
>Synopsis:       pidentd doesn't work correctly for finger since it will only show the username nobody@ instead of root@ when it's performed by the root user.  pidentd works fine for root for all other protocols.  It seems like pidentd
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    green
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 31 11:50:00 PST 1999
>Closed-Date:    Mon Jan 24 17:01:29 PST 2000
>Last-Modified:  Mon Jan 24 17:03:01 PST 2000
>Originator:     Vincent Poy
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
Wurldlink Corporation - San Francisco - Honolulu - Hong Kong
>Environment:

FreeBSD 3.3-RELEASE, 3.3-STABLE and -CURRENT machines

>Description:

pidentd doesn't work correctly for finger since it will only sh
ow the username nobody@ instead of root@ when it's performed by the root user.
pidentd works fine for root for all other protocols.  It seems like pidentd
for the finger service works for non-root users.  This problem only appears
in -CURRENT and 3.3-RELEASE as well as 3.3-STABLE.

>How-To-Repeat:

finger @localhost as both a normal user and root.  tcpd will need to
call up banners which has the string [%u@%h] which should resolve the
user@FQDM from a pidentd installed machine.

>Fix:

	No idea about this one

>Release-Note:
>Audit-Trail:

From: Marcin =?iso-8859-2?Q?Cie=B6lak?= <saper@system.pl>
To: freebsd-gnats-submit@freebsd.org, vince@pele.WURLDLINK.NET
Cc:  
Subject: Re: ports/14625: pidentd doesn't work correctly for finger since it will 
 only show the username nobody@ instead of root@ when it's performed by 
 the root user.  pidentd works fine for root for all other protocols.  It 
 seems like pidentd
Date: Sun, 31 Oct 1999 21:03:06 +0100

 This is a feature of a "finger" client utility, not a bug in any daemon
 service.
 "finger" utility, when started by root, drops its privileges to
 unprivileged
 user, most often "nobody" in order to increase security of the system
 against for example hostile finger daemons.
 
 --
                  << Marcin Cieslak // saper@system.pl >>
 
 -----------------------------------------------------------------
 SYSTEM Internet Provider                     http://www.system.pl
 
 
 

From: Vincent Poy <vince@pele.WURLDLINK.NET>
To: Marcin =?iso-8859-2?Q?Cie=B6lak?= <saper@system.pl>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: ports/14625: pidentd doesn't work correctly for finger since it
 will  only show the username nobody@ instead of root@ when it's performed
 by  the root user.  pidentd works fine for root for all other protocols. 
 It  seems like pidentd
Date: Sun, 31 Oct 1999 10:09:16 -1000 (HST)

 On Sun, 31 Oct 1999, Marcin [iso-8859-2] Cielak wrote:
 
 > 
 > This is a feature of a "finger" client utility, not a bug in any daemon
 > service.
 > "finger" utility, when started by root, drops its privileges to
 > unprivileged
 > user, most often "nobody" in order to increase security of the system
 > against for example hostile finger daemons.
 
 	The only problem with this is if someone else with FreeBSD tries
 to attack a box using the finger service as root, the logs would serve no
 purpose if it shows nobody@theirdomain.
 
 
 Cheers,
 Vince - vince@WURLDLINK.NET - Vice President             ________   __ ____ 
 Unix Networking Operations - FreeBSD-Real Unix for Free / / / / |  / |[__  ]
 WurldLink Corporation                                  / / / /  | /  | __] ]  
 San Francisco - Honolulu - Hong Kong                  / / / / / |/ / | __] ]
 HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
 Almighty1@IRC - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin
 
 

From: Vincent Poy <vince@pele.WURLDLINK.NET>
To: Marcin =?iso-8859-2?Q?Cie=B6lak?= <saper@system.pl>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: ports/14625: pidentd doesn't work correctly for finger since it
 will  only show the username nobody@ instead of root@ when it's performed
 by  the root user.  pidentd works fine for root for all other protocols. 
 It  seems like pidentd
Date: Sun, 31 Oct 1999 10:09:16 -1000 (HST)

 On Sun, 31 Oct 1999, Marcin [iso-8859-2] Cielak wrote:
 
 > 
 > This is a feature of a "finger" client utility, not a bug in any daemon
 > service.
 > "finger" utility, when started by root, drops its privileges to
 > unprivileged
 > user, most often "nobody" in order to increase security of the system
 > against for example hostile finger daemons.
 
 	The only problem with this is if someone else with FreeBSD tries
 to attack a box using the finger service as root, the logs would serve no
 purpose if it shows nobody@theirdomain.
 
 
 Cheers,
 Vince - vince@WURLDLINK.NET - Vice President             ________   __ ____ 
 Unix Networking Operations - FreeBSD-Real Unix for Free / / / / |  / |[__  ]
 WurldLink Corporation                                  / / / /  | /  | __] ]  
 San Francisco - Honolulu - Hong Kong                  / / / / / |/ / | __] ]
 HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
 Almighty1@IRC - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin
 
 

From: Vincent Poy <vince@pele.WURLDLINK.NET>
To: Marcin =?iso-8859-2?Q?Cie=B6lak?= <saper@system.pl>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: ports/14625: pidentd doesn't work correctly for finger since it
 will  only show the username nobody@ instead of root@ when it's performed
 by  the root user.  pidentd works fine for root for all other protocols. 
 It  seems like pidentd
Date: Sun, 31 Oct 1999 10:36:16 -1000 (HST)

 Just wanted to say that Marcin had a very good point.  I thought it was a
 bug since it was working correctly up to 3.2R.  It seems like there are a
 bunch of kids who attack systems as root@somedomain from their linux
 boxes.
 
 
 Cheers,
 Vince - vince@WURLDLINK.NET - Vice President             ________   __ ____ 
 Unix Networking Operations - FreeBSD-Real Unix for Free / / / / |  / |[__  ]
 WurldLink Corporation                                  / / / /  | /  | __] ]  
 San Francisco - Honolulu - Hong Kong                  / / / / / |/ / | __] ]
 HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
 Almighty1@IRC - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin
 
 
Responsible-Changed-From-To: freebsd-ports->green  
Responsible-Changed-By: cpiazza 
Responsible-Changed-When: Sun Oct 31 15:58:00 PST 1999 
Responsible-Changed-Why:  
Green was the last person to touch this port 
State-Changed-From-To: open->feedback 
State-Changed-By: green 
State-Changed-When: Sun Oct 31 18:10:35 PST 1999 
State-Changed-Why:  
This is a non-issue.  If you can show me any case where it matters that 
the 
log says "nobody" instead of "root", let me know.  This is _not_ a pidentd 
issue. 
State-Changed-From-To: feedback->closed 
State-Changed-By: green 
State-Changed-When: Mon Jan 24 17:01:29 PST 2000 
State-Changed-Why:  
This isn't a bug. 
>Unformatted:
 for the finger service works for non-root users.  This problem only appears
 in -CURRENT and 3.3-RELEASE as well as 3.3-STABLE.
