Henri [EMAIL PROTECTED] writes:
sorry, i don't have any idea of the time needed to audit something
like drakconf...
there's not so many points where we exec some process or write some
files in drakconf, so this one is easy.
but when you talk about drakconf, i suspect you really want to says
Thierry Vignaud wrote:
Henri [EMAIL PROTECTED] writes:
sorry, i don't have any idea of the time needed to audit something
like drakconf...
there's not so many points where we exec some process or write some
files in drakconf, so this one is easy.
but when you talk about drakconf, i
Han Boetes [EMAIL PROTECTED] writes:
That's a local exploit. I can think of a few other local ``exploits'' as
well, like booting in single user mode.
this is not a exploit if you can _boot_ in single user mode it's
mean you have acess to the hardware and if you have access we cannot
do
Chmouel Boudjnah [EMAIL PROTECTED] wrote:
Han Boetes [EMAIL PROTECTED] wrote:
That's a local exploit. I can think of a few other local
``exploits'' as well, like booting in single user mode.
this is not a exploit if you can _boot_ in single user mode it's
mean you have acess to the
On Friday 14 March 2003 6:58 am, Han Boetes wrote:
Chmouel Boudjnah [EMAIL PROTECTED] wrote:
Han Boetes [EMAIL PROTECTED] wrote:
That's a local exploit. I can think of a few other local
``exploits'' as well, like booting in single user mode.
this is not a exploit if you can
On Friday 14 March 2003 09:23 am, jokerman64 wrote:
On Friday 14 March 2003 6:58 am, Han Boetes wrote:
Chmouel Boudjnah [EMAIL PROTECTED] wrote:
Han Boetes [EMAIL PROTECTED] wrote:
That's a local exploit. I can think of a few other local
``exploits'' as well, like booting in single
Henri [EMAIL PROTECTED] writes:
That was a simple suggestion, it seemed important to me, that's
all. Is security concerning only security experts ? I don't
think so. Where is the problem to be a customer asking questions
about security yo the expert precisly ?! If you can justify the
choice
Henri [EMAIL PROTECTED] writes:
on critical apps, on drakconf tools ecc. or not ? Perhaps this
would avoid big holes like the shutdown one, no ?
The shutdown problem is not a big hole. It grants local root
access only for people with a login on the physical machine
(console login). Securing
On Friday 14 March 2003 06:45 am, Guillaume Cottenceau wrote:
Henri [EMAIL PROTECTED] writes:
on critical apps, on drakconf tools ecc. or not ? Perhaps this
would avoid big holes like the shutdown one, no ?
The shutdown problem is not a big hole. It grants local root
access only for people
jokerman64 wrote:
On Friday 14 March 2003 6:58 am, Han Boetes wrote:
Chmouel Boudjnah [EMAIL PROTECTED] wrote:
Han Boetes [EMAIL PROTECTED] wrote:
That's a local exploit. I can think of a few other local
``exploits'' as well, like booting in single user mode.
this is
On Fri, 2003-03-14 at 14:39, Jason Straight wrote:
I disagree, i don't think that if you go into single user mode that you
should be root. You should still have to log in. The argument that someone
has physical access to your computer thus making it your problem and not an
exploit is IMHO
On Friday 14 March 2003 10:11 am, Adam Williamson wrote:
Not entirely. You also have to lock your case shut somehow to stop
someone opening it up and flicking the BIOS reset...
Anyway, in regards to the original bug, this isn't purely a local
exploit, surely? Doesn't it also apply to someone
Adam Williamson [EMAIL PROTECTED] writes:
Anyway, in regards to the original bug, this isn't purely a local
exploit, surely? Doesn't it also apply to someone ssh'ing in from a
remote site? i.e., I could give a simple user account to someone in
Australia, thinking it's safe, and they could
On Fri Mar 14 9:23 -0500, jokerman64 wrote:
I disagree, i don't think that if you go into single user mode that you should
be root. You should still have to log in. The argument that someone has
physical access to your computer thus making it your problem and not an
exploit is IMHO
On Friday 14 March 2003 09:56 am, scott chevalley wrote:
perhaps not by default, but if you type
linux single init=/bin/sh
at a lilo prompt (or grub, but it would look different), you can bypass
any security on the system except for encrypted filesystem security, as
far as I'm aware.
On Friday 14 March 2003 11:11 am, Levi Ramsey wrote:
If someone has physical access to the computer they can pass their own
parameters to the kernel, including init=/bin/bash, whcih, bada bing
bada boom, gives them instant root.
man lilo - you can restrict it from allowing cmdline, or even
On Fri Mar 14 11:52 -0500, Jason Straight wrote:
On Friday 14 March 2003 11:11 am, Levi Ramsey wrote:
If someone has physical access to the computer they can pass their own
parameters to the kernel, including init=/bin/bash, whcih, bada bing
bada boom, gives them instant root.
man lilo -
On Fri Mar 14, 2003 at 03:11:24PM +, Adam Williamson wrote:
Not entirely. You also have to lock your case shut somehow to stop
someone opening it up and flicking the BIOS reset...
Anyway, in regards to the original bug, this isn't purely a local
exploit, surely? Doesn't it also apply to
Levi Ramsey wrote:
On Fri Mar 14 11:52 -0500, Jason Straight wrote:
On Friday 14 March 2003 11:11 am, Levi Ramsey wrote:
If someone has physical access to the computer they can pass their own
parameters to the kernel, including init=/bin/bash, whcih, bada bing
bada boom, gives them
On Fri, 2003-03-14 at 17:07, Vincent Danen wrote:
On Fri Mar 14, 2003 at 03:11:24PM +, Adam Williamson wrote:
Not entirely. You also have to lock your case shut somehow to stop
someone opening it up and flicking the BIOS reset...
Anyway, in regards to the original bug, this isn't
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jason Straight wrote:
On Friday 14 March 2003 11:11 am, Levi Ramsey wrote:
If someone has physical access to the computer they can pass their own
parameters to the kernel, including init=/bin/bash, whcih, bada bing
bada boom, gives them instant
On Fri Mar 14 13:45 -0500, scott chevalley wrote:
or, even more simply, resetting the bios, either by removing the cmos
battery, or in some computers there is a cmos clear pin header. short
the pins and it clears cmos, including passwords
That wouldn't disable the LILO password,
Levi Ramsey wrote:
On Fri Mar 14 13:45 -0500, scott chevalley wrote:
or, even more simply, resetting the bios, either by removing the cmos
battery, or in some computers there is a cmos clear pin header. short
the pins and it clears cmos, including passwords
That wouldn't disable
Vincent Danen wrote:
On Thu Mar 13, 2003 at 08:26:23PM +0100, Henri wrote:
OpenSource is said to be more secure : a question has come to my mind :
before releasing the 9.1, will there be a security audit on critical
apps, on drakconf tools ecc. or not ? Perhaps this would avoid big holes
On Fri, 14 Mar 2003, Henri wrote:
Not every sofware : i was only asking about specific mandrake tools and
critical ones : i think about verifying a last time, just before
releasing, that permissions on tools installed in /sbin/ and /usr/sbin
are correct, for example...
FYI, rpmlint does
Hi,
OpenSource is said to be more secure : a question has come to my mind :
before releasing the 9.1, will there be a security audit on critical
apps, on drakconf tools ecc. or not ? Perhaps this would avoid big holes
like the shutdown one, no ?
On Thu Mar 13, 2003 at 08:26:23PM +0100, Henri wrote:
OpenSource is said to be more secure : a question has come to my mind :
before releasing the 9.1, will there be a security audit on critical
apps, on drakconf tools ecc. or not ? Perhaps this would avoid big holes
like the shutdown one,
Henri [EMAIL PROTECTED] wrote:
OpenSource is said to be more secure : a question has come to my mind
: before releasing the 9.1, will there be a security audit on critical
apps, on drakconf tools ecc. or not ?
These tools only run with root permissions. Mot much to hack anymore
once you got
Han Boetes a écrit:
Henri [EMAIL PROTECTED] wrote:
OpenSource is said to be more secure : a question has come to my mind
: before releasing the 9.1, will there be a security audit on critical
apps, on drakconf tools ecc. or not ?
These tools only run with root permissions. Mot much to
29 matches
Mail list logo
