Bug#360438: suexec: suexec from root with an invalid ID runs as root

Sun, 02 Apr 2006 11:58:22 -0700 

Hi

I have read through the patch and what I can determine is that
you make sure to print an error if the user id is not a number
and change root to 0.

Thanks for pointing me at this. I assume that this will be
applied by upstream soon enough so that we can incorporate it
when they release next version. Or do you think it is important
enough to patch to the current version?

Regards,

// Ola


On Sun, Apr 02, 2006 at 12:40:25PM +0200, David Schmitt wrote:
> Package: util-vserver
> Version: 0.30.209-2
> Severity: important
> Tags: security patch upstream
> 
> This is upstream bug #15996: suexec from root with an invalid
> ID runs as root.
> 
> https://savannah.nongnu.org/bugs/?func=detailitem&item_id=15996
> 
> [EMAIL PROTECTED]:~$ sudo vserver buildd suexec david id
> uid=0(root) gid=0(root) groups=0(root)
> [EMAIL PROTECTED]:~$ sudo vserver buildd suexec 1000 id
> uid=1000(david) gid=0(root) groups=0(root)
> [EMAIL PROTECTED]:~$ 
> 
> There is also a patch already available at 
> https://savannah.nongnu.org/patch/?func=detailitem&item_id=4966
> 
> Regards, David
> 
> -- System Information:
> Debian Release: testing/unstable
>   APT prefers unstable
>   APT policy: (500, 'unstable')
> Architecture: i386 (i686)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.16-1-vserver-686
> Locale: LANG=C, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
> 
> Versions of packages util-vserver depends on:
> ii  iproute                       20051007-4 Professional tools to control 
> the 
> ii  libbeecrypt6                  4.1.2-4    open source C library of 
> cryptogra
> ii  libc6                         2.3.6-4    GNU C Library: Shared libraries 
> an
> ii  net-tools                     1.60-17    The NET-3 networking toolkit
> 
> Versions of packages util-vserver recommends:
> ii  binutils          2.16.1cvs20060117-1uc1 The GNU assembler, linker and 
> bina
> ii  make              3.80+3.81.rc2-1        The GNU version of the "make" 
> util
> 
> -- no debconf information
> 
> 

-- 
 --------------------- Ola Lundqvist ---------------------------
/  [EMAIL PROTECTED]                     Annebergsslingan 37      \
|  [EMAIL PROTECTED]                 654 65 KARLSTAD          |
|  +46 (0)54-10 14 30                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to