RFC 1194 (rfc1194) - Page 2 of 12
Finger User Information Protocol
Alternative Format: Original Text Document
RFC 1194 Finger November 1990
3.2. RUIP security ........................................ 7
3.2.1. {Q2} refusal ....................................... 7
3.2.2. {C} refusal ........................................ 8
3.2.3. Atomic discharge ................................... 8
3.2.4. User information files ............................. 8
3.2.5. Execution of user programs ......................... 9
3.2.6. {U} ambiguity ...................................... 9
3.2.7. Audit trails ....................................... 9
3.3. Client security ...................................... 9
4. Examples ............................................... 10
4.1. Example with a null command line ({C}) ............... 10
4.2. Example with name specified ({U}{C}) ................. 10
4.3. Example with ambiguous name specified ({U}{C}) ....... 11
4.4. Example of query type {Q2} ({U}{H}{H}{C}) ............ 11
5. Acknowledgments ........................................ 12
6. Security Considerations ................................ 12
7. Author's Address ....................................... 12
1. Introduction
1.1. Intent
This memo describes the Finger User Information Protocol. This is a
simple protocol which provides an interface to a remote user
information program (RUIP).
Based on RFC 742, a description of the original Finger protocol, this
memo attempts to clarify the expected communication between the two
ends of a Finger connection. It also tries not to invalidate the
many current implementations or add unnecessary restrictions to the
original protocol definition.
The most prevalent implementations of Finger today seem to be
primarily derived from the BSD UNIX work at the University of
California, Berkeley. Thus, this memo is based around the BSD
version's behavior.
However, the BSD version provides few options to tailor the Finger
RUIP for a particular site's security policy, or to protect the user
from dangerous data. Furthermore, there are MANY potential security
holes that implementors and administrators need to be aware of,
particularly since the purpose of this protocol is to return
information about a system's users, a sensitive issue at best.
Therefore, this memo makes a number of important security comments
and recommendations.
Zimmerman