Running a finger daemon?

The finger daemon has been maligned for many years, and not without cause. The original daemons had bugs that caused them to dump core and became widely known as one of the ways the original Internet worm (the Morris Worm) spread across the Internet.

The only problem the finger daemon has today is that it provides user data to anyone on the network. This “information leak” will never be resolved as it is why finger exists in the first place.

However, if you put aside the fact that showing user information may be bad, finger can also be quite useful. It is also possible to run it without any network at all, using local data only. If there is no network access to finger (that is, no finger daemon is running), then the risk from finger is minimal.

There remains the ability to run a finger daemon on a network – cfingerd was written in order to provide secure finger services, including minimizing information leaks and giving people the ability to turn off finger access to particular users, or to create fake users. Those who wish to run a finger daemon would do well to choose cfingerd; it is enormously configurable.

Some systems include finger by default and some do not. Certainly, none come with a finger daemon active or present.

I will probably try cfingerd just to see how it works – but I wouldn’t recommend it on most production systems.

What is your take? I’d be interested in hearing from people who are actually running finger daemons and finding out why (and how).

About these ads

2 Responses to Running a finger daemon?

  1. Jon Henry says:

    As a full-time Linux sysadmin, I see no benefit to finger at this point. If I want to look up information about a user, I can look at LDAP and/or Active Directory. If I want to know who is logged into a server, “who” does that just fine. We don’t have a corporate blog or forum, but if users cared enough about having a .plan file, we could mimic that with one of those solutions instead (and introduce new security risks! :))

    Finger was a great idea when it was introduced, but it has outlived its usefulness. I would bet good money that there are only two people in my organization that even know what it is, and one of them is me :)

  2. ddouthitt says:

    There’s no way to easily search LDAP from the command line; likewise for Active Directory. Both require graphical interfaces.

    I must be the only one who used to use it all the time: the command pulls together information from many places – including the /etc/passwd file, the last command, the who command, and other places.

    Several distributions include finger as a part of the default install – or used to, anyway. Servers are a different matter.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 43 other followers

%d bloggers like this: