next up previous contents
Next: rexec Up: Commands Revealing User Previous: Commands Revealing User



The ``finger'' service provided by the finger client program and the fingerd server program displays information about users. When finger is invoked with a name argument, the /etc/passwd file is searched and for every user with a first name, last name, or username that matches the name argument, information is displayed. When the finger program is run with no arguments, information for every user currently logged onto the system is displayed. User information can be displayed for remote machines as well as for the local machine.

The output of finger typically includes login name, full name, home directory, last login time, and in some cases when the user received mail and/or read mail. Personal information, such as telephone numbers, are often stored in the password file so that this information is available to other users. Making personal information about users available poses a security threat because a password cracker can make use of this information. In addition, fingerd can reveal login activity.

Versions of fingerd older than November 1988 are vulnerable to abuse because they contain a bug.

John Barkley
Fri Oct 7 16:17:21 EDT 1994