-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Michel
| Geeee ... no, I exclusively post only half cooked and untested ideas to | mailing lists. ;o) funny? ;) | Seriously: I tested it the usual way: "chmod 755 /usr/lib/authenticate" the | first minute I saw the report on bugtraq. I then tested the admin interface | and a htaccess protected web folder on that server and they still worked | fine. Ok, but did you check chmod 755 did really fix the setuid bit? try on chmod 0755 | I then implemented the fix on all my RaQs and even though some of the boxes | host up to 75 domains of various cusomers there have been no complains yet - | in two or three weeks? Around that figure. I almost did so, but at the 5th one I fixed, I had the feedback that everything goes wrong. | So for all *my* usualy purpose and that of my webhosting customers nothing is | broken. As said: Nobody around here uses Frontpage and if they did then I'd | say: "Not my problem - this ain't a Mickeysoft server!" | | Anyway, what's the problem? You can always go back by setting the SUID bid on | /usr/lib/authenticate if the fix doesn't work for you <shrug>. So as someone said on this list, admserv runs under 0 uid so not having suid bit doesn't matter. That's why admserv authentication still work. Now if it works for normal sites also, it means your shadow password file is world readable... Do you prefer world readable shadow file or suid bit on authenticate? :o) So the problem I mentioned is still there. Will Sun care? - -- Rene Luria <[EMAIL PROTECTED]> Unix Administrator - Infomaniak Network SA PGP key DFE5C340 at keyserver.pgp.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9jwdvJ1jvMN/lw0ARAtF+AJ99cgwEvEANdQgICtfhsMdn+lrgrgCfV0As Z4jZYnh4QR0HH1TJmDxNzOU= =zVTs -----END PGP SIGNATURE----- _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
