From: Tim Chase <openbsd@tim.thechases.com>
Subject: Adding user-filtering-by-group-membership to fingerd/finger?
To: OpenBSD tech <tech@openbsd.org>
Date: Wed, 5 Jun 2024 07:56:26 -0500

Howdy,

I was hoping there'd be some functionality to filter users reported
by finger/fingerd to prevent enumerating *all* the local users[1]
however, short of specifying that fingerd(8) use -P and creating a
username-filter wrapper script, it didn't look like there was any
way to readily do user-filtering.

I have a local dev patch in process that adds a -g <groupname>
option to finger(1) which should hopefully allow me to add users
to a "fingerusers"-type group and then modify my /etc/inetd.conf
like

finger          stream  tcp     nowait  _fingerd /usr/libexec/fingerd   fingerd -lsmug fingerusers

so that remote attempts to finger can only learn about permitted
users.  If I have more confidential user logins, I'd rather not
expose them to the world for bad actors to hammer against.

I figured I'd at least throw the issue on the tech@ mailing-list
to see if it's something others would find the patches valuable.

-tkc

______

[1]
https://www.reddit.com/r/openbsd/comments/1d8fhjm/only_allowing_fingerd8_to_finger_certain_users/