CFINGERD.CONF(5) | Configurable Finger Daemon | CFINGERD.CONF(5) |
cfingerd.conf - configurable finger daemon configuration file.
/etc/cfingerd.conf
cfingerd.conf is the configuration file for cfingerd. cfingerd has been totally rewritten to support a more readable configuration file. This version of the new configuration file is NOT compatible with the older versions from 1.0.3 or below.
The configuration file is split into sections of three general types: FILES, CONFIG, and HOSTS.
Each one of those sections is split into subsections, which will be explained next.
Subtext of each option is either boolean options, string options, or switchable options, all changeable by the system administrator.
Each section is split into a series of sections that resembles C type definition; not exact, but close enough to be familiar with it. :) There's only one exception - these are not case sensitive. Any casing will do, as long as the option is legal.
Thus, each section is formatted like this:
OPTION section_name = {
(tab/space) string_option = "string_format",
(tab/space) +/-boolean_pair_option = [BOOL, BOOL],
(tab/space) +/-internal_config_option
(tab/space) host.name.here
}
This illustrates that string options are strings put into "quotes", boolean options are given as TRUE and FALSE, switchable options are given with the + or - directive, and hostnames are used as substrings, so that wildcards are not necessary.
A few sections simply contain a block of text to be used as the value of a single option, which one is indicated by the section name itself.
You may add comments using the hash mark ``#'' at the beginning of
the line. Please note that no comments are allowed inside of a section.
Each option here is a string option. The first 6 options are relative to the home directory of whatever user was fingered, the remaining are absolute and should start with a "/".
PLAN is the optional plan file which contains the text displayed as the users plan. The default is .plan.
PROJECT is the optional project file that is used when displaying a project description. The standard here is .project.
PGP_KEY is the optional "Pretty-Good-Privacy" file that is shown when displaying a public or private key. The standard here is .pgpkey.
XFACE is the optional file that shows the user's face. (This is commonly used in E-Mail messages.) The standard here is .xface.
NO_FINGER is the optional file that is shown when a user wishes to remain anonymous. This is usually the case with root users (which should be standard, anyway). In order to hide the user this file should be an exact copy of the nouser_banner.txt file. The standard here is .nofinger. This file can only be a standard displayable file. This option will also hide the user from a "search.pattern" query. If any user can read this file it will also be honored by a userlist (@host) query. This is done by a non-priviliged program so the uid can't be changed.
USERLOG is the optional file in which all attempts to finger a user are logged for the users own reference. If ALLOW_USERLOG is not enabled this file is completely ignored. If ONLY_CREATE_FINGERLOG_IF_FILE_EXISTS is enabled cfingerd will only document finger requests if this file already exists in the users home directory. The default name is .fingerlog.
MAILBOX is the file that is checked to see where the user's mailbox is. If you are using a regular Unix mail transport agent (such as sendmail(1), smail(1) or exim(1)),youwoulduse /usr/spool/mail/$USER here. If you are using something like qmail, you would use $HOME/Mailbox. The path must be given as well as the filename to check for. $USER will expand to the proper username. $HOME will expand to the proper home directory for that very user. If MAILBOX is set to``QMAIL'' cfingerd assumes that Qmail is used on the local system and therefore will read ~/.qmail files instead of common mailbox files.
LOGFILE is the file that is used to keep logs of everything that happens to your finger program. These logs are kept as backups for your finger file, and can be used to guard against attacks against your system if a finger attack occurs. By keeping cfingerd.conf readable only by root the logfile should be kept in a safe, hidden place.
HEADER_DISPLAY is the file that is displayed at the top of each finger reply. The standard here is /etc/cfingerd/top_finger.txt.
FOOTER_DISPLAY is the file that is displayed at the end of each finger reply. The standard here is /etc/cfingerd/bottom_finger.txt.
NO_USER_BANNER is the file that is displayed if the user doesn't exist. The standard here is /etc/cfingerd/nouser_banner.txt.
NO_NAME_BANNER is the file that is displayed if no name was specified in a finger request if a system listing is not allowed by the SYSTEM_LIST option (explained later). The standard here is /etc/cfingerd/noname_banner.txt.
REJECTED_BANNER is the file that is displayed if a rejected
host tries to finger your system for any reason. The standard here is
/etc/cfingerd/rejected_banner.txt.
Each option in this section is boolean. The way this works is as follows: The first boolean option is the setting for a remote host, or a host that fingers you from the outside. The second boolean option is the setting for the local host, or trusted host. This is what people from your own system will see.
TRUE means that this item is included in the cfingerd reply. FALSE means it is omitted. Unless otherwise specified these items only appear if an existing user is fingered.
Each option has a "-" or "+" option. This is for user-overridable options, which will be in the next release of cfingerd. These will allow each user to manipulate if this information is displayed when that specific user is fingered.
HEADER_FILE displays the header file at the beginning of each finger reply.
FOOTER_FILE displays the footer file at the end of each finger reply.
LOGIN_ID displays the login ID of that particular user.
REAL_NAME displays the real name of that particular user.
DIRECTORY displays the user's directory.
SHELL displays the user's shell.
ROOM_NUMBER displays the user's room number.
WORK_NUMBER displays the user's work phone number.
HOME_NUMBER displays the user's home phone number.
OTHER displays the user's other information.
LAST_TIME_ON displays the last time the user has logged into the fingered system.
IF_ONLINE displays whether or not the user is currently logged into the fingered system.
TIME_MAIL_READ displays the last time that the fingered user has read mail.
DAY_MAIL_READ displays the last day that the fingered user read his/her mail.
ORIGINATION displays the site from which the user logged in (if applicable.)
PLAN displays the user's plan file.
PROJECT displays the user's project file.
PGP displays the user's Pretty-Good-Privacy key file.
XFACE displays the user's XFACE file.
NO_NAME_BANNER displays the banner if no username was given.
REJECTED_BANNER displays the rejected banner file if the site fingering your system was in the banned-site listing.
SYSTEM_LIST displays the system list if one was requested.
NO_NAME displays the NO_USER_BANNER file if no user was
selected.
Each item in this section is a switchable option. This means that a "+" before the item enables it while a "-" before the item turns it off.
ALLOW_MULTIPLE_FINGER_DISPLAY tells cfingerd to add the system finger information from the hosts listed in the system_list_sites instead of only the localhost. This is useful when you have more than one ISP machine, located in different cities, or even states.
ALLOW_SEARCHABLE_FINGER allows you to let others outside of your system (or within it) to search for a specific username by using the "search.pattern" directive.
ALLOW_NO_IP_MATCH_FINGER allows you to let sites finger your system if a hostname could not be matched to their IP address successfully.
ALLOW_USER_OVERRIDE will allow your users to override specific options in the FINGER DISPLAY section that you enable. This is not yet implemented.
ALLOW_USERLIST_ONLY will allow other sites to get a shortened form of the "finger @hostname" response by issuing "finger userlist-only@hostname". The shortened form does not merge in other computers even if ALLOW_MULTIPLE_FINGER_DISPLAY is enabled, and omits the usual headers and footers. This listing is only available if the remote user is allowed to query for a regular system list, so SYSTEM_LIST from the finger_display section needs to be enabled, too.
ALLOW_FINGER_FORWARDING will allow other sites to forward finger requests to a different machine if the user could not be located on the current machine. (In order to use this option, you MUST have the HOSTS finger_forward option set, and have other sites in there.)
ALLOW_STRICT_FORMATTING makes the finger display remove all returns between display options. This makes the finger display look horrible (as with GNU Finger or the other generic fingers) and makes your system look, well, "generic". :)
ALLOW_VERBOSE_TIMESTAMPING makes the timestamp that is displayed (at any place) very verbose. For instance, where it used to say:
On since Sat Aug 12 03:43PM (PDT)
would now be shown as:
On since Sat Aug 12, 1995 03:43PM (PDT)
(Basically, ALLOW_VERBOSE_TIMESTAMPING just takes up more room on the display field.)
ALLOW_NONIDENT_ACCESS lets cfingerd also accept connections from sites that don't run the IDENT daemon (or RFC1413-compliant program.) This is for security sake, and is a good measure against unknown users trying to finger your system. If this option is enabled, users that do not have identd running on their system (ala Windows users) will be able to finger your system. Systems NOT running identd will return "unknown" as the user ID, and will thusly not be permitted to finger a user on your system.
ALLOW_FINGER_LOGGING enables cfingerd to use the LOGFILE file to store any logs of activity that happen to your system via finger.
ALLOW_LINE_PARSING makes cfingerd parse each line of every display file (including the plan, project, and pgp files) for any cfingerd-specific "$" commands. If any are found, cfingerd will parse these commands and display correct information accordingly. Otherwise, if this is turned off, the display will appear without parsed commands.
ALLOW_EXECUTION will allow users to execute scripts in place of their .plan, .project, and .pgp files. This is used to display the standard output of another program directly to the screen of the user. Keep in mind that this is a HUGE security risk, should you choose to use it. It's normally suggested that this remain off, but you can turn it on if necessary. Nevertheless these programs are called as nobody.nogroup as effective user (while the real user will still be root, but a called program won't be able to change this back).
ALLOW_FAKEUSER_FINGER turns on or off the fake user option in cfingerd. If you want fake users to be defined, and available to be fingered, you will want to enable this option. This can be a security risk in some instances if you allow for searchable fingers, and your script calls an execute routine on that variable... But chances are, that'll never happen.
ALLOW_USERLOG will allow users to keep track of who has fingered them, and at what time. The default name of this user logfile is .fingerlog.
ALLOW_CONFESSION enables two fakeusers "help" and "version" that provide information about the system running. Some people don't like that so you can turn it off. When fingered the requestor will only see the NO_USER_BANNER so he can't guess that the fakeuser is supported.
ONLY_SHOW_HEADERS_IF_FILE_EXISTS will only show the header of the .plan, .project, etc. files if they exist. If the file doesn't exist, the header will not be shown. This saves space on the final output of the finger data.
ONLY_CREATE_FINGERLOG_IF_FILE_EXISTS will only create a
.fingerlog file in the fingered user's home directory if one exists (and is
read/writable by the user.) This is to cut down on hard drive space if they
don't want a .fingerlog file.
This is just a series of hostnames that you want to finger when displaying a userlist query (finger @localhost) . If you have more than one system that you want to show, simply put their hostnames in this list, separated on a line by itself.
A good example of the way this works is this: If you have a separate ISP system that you are running on the side, say "chatlink.com", then I would change my configuration to say:
CONFIG system_list_sites = {
chatlink.com,
localhost
}
Remember, if you are listing only a couple of sites, list the sites you will want to have listed (in order) first. These sites are required to run cfingerd as well and they must not be offline while fingering. The ending entry MUST be the localhost, or the finger listing will not include your site. If you include localhost anywhere else in the list, it will stop once it has reached the localhost entry, so remember to list it last!
For the simple fact that I want to get a user listing from my own machine, and from chatlink.com's system. This would be automatically formatted nicely (ie. sorted and parsed) and would display on the screen in sorted order. This program is usually used in tandem with the supplied userlist(1) program.
If no system list sites are specified, multiple system sites will
not be specified.
This is a listing of the sites that you allow to finger your system exclusively, giving them the same access that your local users would get. In other words, they are treated as "localhost" users.
Each site that you list in this section should be separated by using the "," character. You can include up to 80 sites in this listing.
Wildcards are supported in this section, and you may use them in
the regex format as well. Any wildcards with "*", "?",
or any other regex wildcard matching character will work. IP addresses will
also work. Hostnames are compared case insensitive.
This is a listing of the sites that you do not allow to finger your system. These sites don't get to finger anyone (or anything for that matter) on your system, regardless of what they try to do. In essence, finger is cut off to those particular systems.
Each site that you list in this section should be separated by using the "," character. You can include up to 80 sites in this listing.
Wildcards are supported in this section, and you may use them in
the regex format as well. Any wildcards with "*", "?",
or any other regex wildcard matching character will work. IP addresses will
also work. Hostnames are compared case insensitive.
This is a listing of sites that are used to forward a finger query to when a finger request was processed, but that particular user was not found on the associated system. It will step through this listing, and it will search for the user in question. If the user could not be found, then it will step through to the next host, and the next, until it finds one.
Each site that you list in this section should be separated by using the "," character. You can include up to 80 sites in this listing.
Wildcards are supported in this section, and you may use them in the regex format as well. Any wildcards with "*", "?", or any other regex wildcard matching character will work. Hostnames are compared case insensitive.
If you do not specify any forwarding sites in this section, finger
forwarding will be disabled for your system.
Each option in this section is a string that can be changed to fit your needs when displaying finger information. These strings are limited to about 20 characters on the display. (If you use more than 20, the finger display will end up looking strange.)
USER_NAME is the string that is displayed when the user's username is shown.
REAL_NAME is the string that is displayed when the user's real name is shown.
DIRECTORY is the string that is displayed when the user's directory is shown.
SHELL is the string that is displayed when the user's shell is shown.
ROOM_NUMBER is the string that is displayed when the user's room number is shown.
WORK_NUMBER is the string that is displayed when the user's work phone number is shown.
HOME_NUMBER is the string that is displayed when the user's home phone number is shown.
OTHER is the string that is displayed when the user's other display information is show.
PLAN is the string that is displayed when the user's plan is shown.
PROJECT is the string that is displayed when the user's project is shown.
PGPKEY is the string that is displayed when the user's PGP Key is shown.
XFACE is the string that is displayed when the user's XFACE file is shown.
NO_PLAN is the string that is displayed if the user doesn't have a plan file to show you and ONLY_SHOW_HEADERS_IF_FILE_EXISTS is not enabled.
NO_PROJECT is the string that is displayed if the user doesn't have a project file to show you and ONLY_SHOW_HEADERS_IF_FILE_EXISTS is not enabled.
NO_PGP is the string that is displayed if the user doesn't have a PGP Key file to show you and ONLY_SHOW_HEADERS_IF_FILE_EXISTS is not enabled.
NO_XFACE is the string that is displayed if the user doesn't have an xface file to show you and ONLY_SHOW_HEADERS_IF_FILE_EXISTS is not enabled.
WAIT is the string that is shown when the system gathers
information from other sites for a user listing.
These strings are changeable, and can be any length you want (within reason). These strings are concattenated into the syslogging display when the appropriate finger has been issued. This section also includes error messages that may occur.
NO_IP_HOST is shown when there is no hostname that matches the incoming IP address. This usually indicates that either the site didn't register their IP address with the InterNIC, or they are coming from a hacked site.
RENICE_FATAL is shown when the system failed to change the execution priority on the current process of cfingerd.
STDIN_EMPTY is shown when the input buffer on the CFINGERD port is empty. (This should never really happen; it's here for sanity.)
TRUSTED_HOST is shown when a trusted host fingers your system. If you do not specify a trusted host, cfingerd will insert "localhost" into this field.
REJECTED_HOST is shown when a rejected host fingers your system. If you do not specify a rejected host, cfingerd will insert "0.0.0.0" into this field.
ROOT_FINGER is shown when a user fingers root.
SERVICE_FINGER is shown when a user requests fake user services from your system.
USER_LIST is shown when a user requests a system user listing from your system.
FAKE_USER is shown when a user fingers a fake user from your system.
WHOIS_USER is shown when a user fingers a user with a "WHOIS" query. (This option is not yet available at the time of this writing.)
FINGER_DENY is shown when a user tries to finger with a
forward request like user@host1@host2. This is not supported as it could
result in finger loops and lots of traffic.
This section is used in changing the output that is given when a system crashes, or a signal is caught, and reported to the finger output.
The supported caught signals are as follows:
SIGHUP, SIGINT, SIGQUIT, SIGILL, SIGTRAP, SIGABRT, SIGFPE,
SIGUSR1, SIGSEGV, SIGUSR2, SIGPIPE, SIGALRM, SIGTERM, SIGCONT, SIGTSTP,
SIGTTIN, SIGTTOU, SIGIO, SIGXCPU, SIGXFSZ, SIGVTALRM, SIGPROF, SIGWINCH
These are the programs that are called when a specific action is take on the finger display.
FINGER is the file that is used when a system user listing is requested from your machine. This is used in the standard user list and in the sorted user list, so it is wise to use the standard here; this being /usr/sbin/userlist.
WHOIS is the program that is used when a "whois"
request is done on a specific user. This is currently not used.
These are the ever-popular fake users that you can create on your system. These users are ones that don't exist (and should not, for that matter.) These are, instead, treated as normal scripts that can be called for your use.
The format is as follows for fake users:
"fake_username", "Script name", SEARCHBOOL,
"script"
where...
fake_username is the name of the fake user you want to request. Make sure that this is a user that DOES NOT exist on your system. Keep in mind that if you create a fake username, and that user already exists, the fake username will be shown. If you prepend '-' before the username, the fake user will not be shown on the list of services.
Script name is the standard name of your script. This is used in the display of your services listing.
SEARCHBOOL specifies whether or not parameters can be sent to that specific fake user. If you decide to use the SEARCHBOOL option (ie. TRUE in this case), the passed variables are:
$1 - First passed option,
$2 - Second passed option,
$3 - Third passed option, and
$4 - Fourth passed option.
(If more than four options were passed to this, the request will be ignored, and an error message will be returned to the user that requested the finger request.)
script is the location of your script. It should be chmod 700 and readable only by root.
If you do not specify any fake users, a fake user called
"None" will be created. This is a fake user that does nothing, and
calls "/dev/null" for the script.
This is the display that is given during a services finger. It should be formatted the same way that you want it to display on the screen.
When specifying the finger formatted options, you should specify them as C formatted strings as well, with the standard options. This should always be given last in the display.
An example of this would be:
Welcome to this system's services!
User: Service name: Searchable:
-------- -------------------- -----------
%-8s %-20s %-s
Where this would display the above string. Remember to keep the
format string last, or a SIGSEGV will result.
This specifies where in the above display string that the information from a service listing is to go. These numbers can be anywhere between 1 and 3.
USER specifies the position of the username listing.
SERVICE specifies the position of the service full-name listing.
SEARCH specifies the position of the boolean search
display.
If you like the software, and you want to learn more about the software, or want to see a feature added to it that isn't already here, then please write to cfingerd@infodrom.north.de. The project's webpage is at http://www.infodrom.north.de/cfingerd/ .
As always, I appreciate any suggestions, or bug reports you may
have, so if you have suggestions or bug reports, BRING 'EM ON! :)
cfingerd(8), cfingerd.text(5), userlist(1), finger(1), regex(3), regexp(3).
19 Dec 1998 | 1.4.2 |