Brendan O'Dea <[EMAIL PROTECTED]> wrote: > ... the current situation poses no security risks without the > administrator choosing to add users to the staff group.
Sorry, that is wrong. Quoting from the original bug report: > Become-any-user-but-root and become-any-group-but-root bugs are quite > common. When a group of machines share user home directories via NFS > exported from somewhere with default root-squash, getting root on one > machine gives precisely that on all others of the group. There have > been "genuine" such bugs also e.g. in sendmail [6]. Bill Allombert <[EMAIL PROTECTED]> wrote: > ... there is at least an other group in Debian that is equivalent > to root access, namely disk, and there are others that present a > security risk (e.g. shadow). Why special casing staff ? Thanks for pointing those out! Add group tty also? All should be "squashed" (and the objects owned by root:root instead). Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]