Golang fingerd for isolated environments
go get go.pennock.tech/fingerd
This is an implementation of the server-side of the finger protocol, per RFC742. This is written in Golang and is designed to be able to expect no operating system services except the home directories of the users.
This can be deployed in an empty “jail” or “container” with a read-only “nullfs mount” or “bind mount” providing access to the home directories.
This daemon will reap all children so that on platforms where the only process in a container must act like init, it can be used as such an init; the daemon does not fork but will collect and log the exit status of any other processes which join the container and then exit. How well this works when running as not-root has not been explored.
We tend to reveal only the information deliberately exposed by a user and no local system information. For those, use a system-native finger daemon. Our use-case is exposure to the Internet for constrained information disclosure.
Because of this use-model, if a given user does not have any of the
information files (
~/.pubkey) then we interpret
this as equivalent to the presence of the file
An attack surfaces document is available.
Further choices in our behaviour are documented.
Access required is listed below; this list is supposed to be authoritative and suitable for use in crafting a mandatory access control enforcement policy.
Note that although security was considered in the design of this server, it was written as a holiday project without attention to tests or testability and is thus not (yet) production grade. “It mostly works for me.”
No metrics are exported, only logs.
/home/*. Also required for
-run-as-userwhen starting as root (see a point below).
/etc/hostsare obvious choices). If not logging to syslog, this will not be needed.
/etc/finger.confif it exists (alias file)
/etcitself, to set up a watch for re-emergence of
/etc/finger.confcan be disabled by setting
nosuidunless you choose to use setcap instead of a packet filter. Please use a packet filter instead.
The most likely need for code customization is to change where logs go; we use the
logrus library which has a broad selection of plugins available to change
formatting and destinations; edit
logging_setup.go to add support for
whatever is of local interest to you.
$ mkdir ~/go $ export GOPATH="$HOME/go" $ go get go.pennock.tech/fingerd
With those install steps, the binary can be found in
go get command will fetch this repo, any dependent repos and perform the
To build as a static binary for deployment into a lib-less environment:
go build -ldflags "-linkmode external -extldflags -static"
-help to see help output listing known flags and defaults.
If starting as root, dropping to nobody, redirecting logs to someplace, and
all the users are in
/srv/fingerd -run-as-user=nobody 2>/logs/fingerd
If starting as root, avoiding using the system user database (“passwd”),
logging remotely in JSON format to a log-host whose IP is known (avoid DNS)
and starting as
nobody, relying upon that being uid
/srv/fingerd -run-as-user=-2:-2 -log.json -log.no-local -log.syslog.address=192.0.2.2:514
If starting as non-root, so we won’t drop privileges, but you want to listen on port 1079 (unprivileged) to which packet-filter or loadbalancer rules will redirect port 79 traffic, then:
The same, but also disabling use of
/etc/finger.conf (a BSD convention) so
that you don’t get attempts to watch for the file existing later, and using
/srv/fingerd -listen=:1079 -alias-file="" -homes-dir=/Users
Enable passwd lookup and disable “exists in /home so is a user” check:
/srv/fingerd -listen=:1079 -passwd.min-uid=500 -homes-dir=""
There is FreeBSD documentation, describing setup
within an OS-less Jail. An
rc.d script is included.