25 May 2011 2 Comments
The finger daemon has been maligned for many years, and not without cause. The original daemons had bugs that caused them to dump core and became widely known as one of the ways the original Internet worm (the Morris Worm) spread across the Internet.
However, if you put aside the fact that showing user information may be bad, finger can also be quite useful. It is also possible to run it without any network at all, using local data only. If there is no network access to finger (that is, no finger daemon is running), then the risk from finger is minimal.
There remains the ability to run a finger daemon on a network – cfingerd was written in order to provide secure finger services, including minimizing information leaks and giving people the ability to turn off finger access to particular users, or to create fake users. Those who wish to run a finger daemon would do well to choose cfingerd; it is enormously configurable.
Some systems include finger by default and some do not. Certainly, none come with a finger daemon active or present.
I will probably try cfingerd just to see how it works – but I wouldn’t recommend it on most production systems.
What is your take? I’d be interested in hearing from people who are actually running finger daemons and finding out why (and how).