RUIP) of the the Finger (or Name) protocol, specified in RFC 1288. The Finger protocol provides a remote interface to programs which display information on system status and individual users. The protocol imposes little structure on the format of the exchange between client and server. The client provides a single command line to the fingerd server which normally returns a friendly human-oriented status report listing the users of the system at the moment, or an in-depth report of information about a particular user.
is designed to be started by
which is normally configured to start
when a client opens a connection to
reads a single
carriage-return and linefeed terminated command line from the client.
uses an access control file (see below) to see if user listings from the
originating host (and optionally the originating user) are permitted,
and what permissions are granted to the client host (and user). If user
listings are allowed, and if the request sepcifies a user-name
checks to see if that user-name is listed in a users file (see below).
If the requested user name is listed in the users file then the program
specified for that user-name is run. Otherwise the
program is run with the appropriate options. Output from whichever
program is run is passed back to to the client.
LOG_NOTICEpriority using the
~/.projectfiles in ``long'' listings.
finger(1). The program must be specified by its fully qualified pathname.
/etc/fingerd.acl. The format of the file is:
client-user@[. client-host-name ] permission
attempts to match the remote user's name (if available from an
query, and if specified) and the remote host's name with what is in the
access file. If a match is found,
is used to process the request. Both the
can either be literal strings or wildcard expressions (ala
patterns). The first line to match the request is the one used to set
The value of ``permission'' must be one of the following:
~/.plan, etc. files (same as -p).
Command line options set the global defaults and cannot be reset with the access file, but access file permissions allow specific refinement of options.
/etc/fingerd.users. The format of the file is:
name program[ args ...]
Lines beginning with
The value of ``name'' is the user-name to match against. This must be a literal match; wildcards and regular expressions are not accepted. The
The remainder of the line,
``program[ args ...]''
should consist of the full pathname of the program to run and the
arguments you wish to give it. If you specify
anywhere it will be replaced with the remote user's name. If you
it will be replaced with the remote host's name. To pass a literal
to a command you can prepend it with another
Zimmerman, David, The Finger User Information Protocol, RFC 1288, Center for Discrete Mathematics and Theoretical Computer Science, Rutgers University, December 1990.
This version of fingerd is known separately as ``$Name: $''.
email@example.com> all comments and suggestions are welcome!
Thanks to Kevin Ruddy
for the wildcard library.
Thanks to Kelly DeYoe
for the patches (the nomatch code) and suggestions.
Thanks to Wietse Venema
for the rfc931 code.
Thanks to Christine Flemming
for helping with the manual page.
Greg A. Woods
did a major re-write, improving the error handling and implementing more
options, as well as translating the manual to
%H'' and ``
%U'' in the ``users'' file is pretty primitive and broken.
On some systems (at least SunOS 4.1.3)
only passes a maximum of four(4) command line options to the daemon it
runs, so you should condense command line options.
So instead of using:
fingerd -f -s -l -u''
Trusting and similar ``ident'' protocol results is a silly thing to do, especially for hosts you don't directly control.
There should be some way to return only the very minimum required amount of information, i.e. the user's full name (as per RFC 1288 Section 3.2.3). The combination of -S and -g comes close, but still reveals the users's login terminal, time, and idleness with most implementations of finger.
RFC 1288 suggests that the ``user list'' feature be disabled to avoid giving away potentially sensitive information about the users of a system. Similarly it is recommended that the -m option be used to prevent finger from attempting to find a matching user name. Administrators can also prevent the display of user office locations and phone numbers by using the -g option.
(Remote User Information Program)
servers should not send the contents of
``user information files''
and this can be prevented on most systems by using the
The ability to execute arbitrary programs is very dangerous and should be used only with great care, especially since it's also possible to pass information gathered from the network to these programs.