the finger man page says I need to use chmod to give the home directory the "other-users-execute bit set", in order to restrict finger requests to only those that original from the local host as a security measure,but I cant find that in the chmod man page, is this very straight forward or is there other material I need to cover to understand what is happening there?
Asked
Active
Viewed 235 times
1 Answers
2
The context here is presumably this section of the finger manpage:
~/.nofingerIf finger finds this file in a user's home directory, it will, for finger requests originating outside the local host, firmly deny the existence of that user. For this to work, the finger program, as started by
fingerd(8), must be able to see the.nofingerfile. This generally means that the home directory containing the file must have the other-users-execute bit set (o+x). Seechmod(1). If you use this feature for privacy, please test it with “finger @localhost” before relying on it, just in case.
Once you know how chmod works, this tells you what to do: chmod o+x /path/to/home/directory. As a regular user, you can do this as follows:
cd
chmod o+x .
Root can change all home directories:
sudo chmod o+x /home/*/
In the GNU chmod manpage, the following paragraphs explain this:
The format of a symbolic mode is
[ugoa...][[-+=][perms...]...], where perms is either zero or more letters from the setrwxXst, or a single letter from the setugo. Multiple symbolic modes can be given, separated by commas.A combination of the letters
ugoacontrols which users' access to the file will be changed: the user who owns it (u), other users in the file's group (g), other users not in the file's group (o), or all users (a). If none of these are given, the effect is as if (a) were given, but bits that are set in the umask are not affected.The operator
+causes the selected file mode bits to be added to the existing file mode bits of each file;-causes them to be removed; and=causes them to be added and causes unmentioned bits to be removed except that a directory's unmentioned set user and group ID bits are not affected.The letters
rwxXstselect file mode bits for the affected users: read (r), write (w), execute (or search for directories) (x), execute/search only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s), restricted deletion flag or sticky bit (t). Instead of one or more of these letters, you can specify exactly one of the lettersugo: the permissions granted to the user who owns the file (u), the permissions granted to other users who are members of the file's group (g), and the permissions granted to users that are in neither of the two preceding categories (o).
Stephen Kitt
- 434,908
fingerdaemon runs without any special permissions, sochmod o+xonly facilitatesfingerdif the previous permissions wereo=. This can vary from system to system, or by Linux distribution. – Chris Davies Sep 08 '20 at 12:07chmod o+xsets the bit in any case; so after it’s run,fingerdwill be able to check for the existence of.nofinger, irrespective of what the permissions were before (and yes,fingerdmight have already been able to do this). – Stephen Kitt Sep 08 '20 at 12:09o=rx(as on Debian, for example) then thechmodoperation is a no-op. However, on RHEL-derived systems IIRC the default iso=so thechmod o+xis necessary forfingerdto be able to search for the file~/.nofinger– Chris Davies Sep 08 '20 at 12:10chmod o+xas it is to check for the permission before deciding whether to runchmod o+x, isn’t it? And in any case,chmod o+xresults in a configuration which works — which doesn’t say anything about whether it worked before thechmod. – Stephen Kitt Sep 08 '20 at 12:13