Tips to GNU Finger and the like

GNU Finger

Histrory of GNU Finger

In the good old time (TM) it happened that user Anton wanted to know regularly, whether Userin Beatrice sat at the computer. Since there were only two computers on the Campus, Anton wrote a program, which reported, who sat at the computer. The program did, what it had to do and Anton saw that it was good.

Some years later the University bought many new, multicolored computers, so that every user had usually its own workstation. The problem was now that the users changed their workstation frequently. GNU saw that this defeated the original intention of finger and wrote GNU finger, which reported all user of a cluster and on request the free workstations.

GNU finger was obviously developed up to version 1.37. This version originates from the year 1992...

There is Alpha-Version of a new GNU Finger (Currently 1.39a5). Have a look at
ftp://alpha.gnu.org/gnu/finger/
Although I haven't tested it so far, it seems still rather buggy and hard to compile on some systems.

Compilation

Please have a look at the paragraph Bugs and Fixes

GNU finger uses a version of autoconf from the year 1992. Therefore the configure is no longer uptodate. Hence the Compilation under Linux, NetBSD and even Solaris fails. Here some tips to make it work:

Bugs and Fixes

fingerd-Crash

GNU finger is more or less complete buggy... Without bug fixing the server will crash every 5 minutes. Responsible is a completely false memory release loop. Here is the bugbix:

--- lib/packet.c.orig   Wed Oct 21 23:04:38 1992
+++ lib/packet.c    Wed Mar  3 15:25:45 1999
@@ -314,8 +314,15 @@
 
          end = i;
 
-         for (i = start; i < end; i++)
+         /* IMHO This is completely broken...
+            1. free doesn't set list[i] to NULL
+            2. the second loop should be a while-loop...
+            */
+
+         for (i = start; i < end; i++) {
            free (list[i]);
+           list[i] = (FINGER_PACKET *)NULL; /* added by mgb */
+         }
 
          for (i = 0; list[end + i]; i++)
            list[start + i] = list[end + i];

Security Hole

In order to run scripts $HOME/.fingerrc GNU Finger changes its user and group id to that of the user. However in the false order. Besides it makes no error handling, which is hardly to be called particularly lucky. Here the patch:

--- lib/site/userinfo.c.orig       Tue Oct 27 04:07:44 1992
+++ lib/site/userinfo.c    Thu Mar  4 13:32:58 1999
@@ -248,8 +248,14 @@
            }
 
          /* Set uid/gid */
-         setuid (user->pw_uid);
-         setgid (user->pw_gid);
+         if (setgid (user->pw_gid)<0) {
+           printf ("setgid failed: %i\n",errno);
+           exit(-1);
+         }
+         if (setuid (user->pw_uid)<0) {
+           printf ("setuid failed: %i\n",errno);
+           exit(-1);
+         }
 
          /* Set default directory */
          chdir (user->pw_dir);

Ressourcen

GNU finger can be obtained directly from GNU. Furthermore ther is an on-line manual (better FAQ).


Enhancements of ICSI

Since obviously nobody was working anymore on GNU Finger, Andreas Stolcke of ICSI Berkeley made a new version, solving some of the problmes of GNU Finger.

ICSI Finger has been updated the last time on the 4. April 1998, but only a single error has been solved. The second last update has bben on the 18. July 1996. A rapid developement does not seem to take place here, either.

In my opinion it is further problematic that no longer autoconf is used for configuration, but pmake does this job. Pmake uses a global host configuration file. I think that is a bad solution as already imake has shown: the host configuration file is too fast out of date. Also pmake cannot be called "wide spread"... It therefore has to be compiled in advance.

Ressources

The sources of ICSI Finger and pmake can be obtained from ftp://ftp.icsi.berkeley.edu/pub/ai/stolcke/software/


GNU Finger 1.5.0

Since obviuously nobody maintains the sources of GNU Finger I tried to change the sources of ICSI to work with the newest version of autoconf/automake. This also should make the installation easier.

I called that version GNU Finger 1.5.0. It compiles at least under Linux and Solaris and can be found at ftp://ftp.xelia.ch/pub/linux/gnufinger/gnufinger-1.5.0.tar.gz.

No exhaustive testing has been done yet, but the ICSI Sources are not changed much and those are known to work since a few years.


Last change: 22. June 2001
Michael Baumer (baumi@vis.ethz.ch) Valid HTML 4.0!