On Fri, 2 May 2003, Wolfgang Sourdeau wrote: > I am not subscribed to debian-security, so please include me in your Cc: > for this discussion. > Likewise.
> I have noticed a "fax" user was expected in mgetty-1.1.30 (never played > with 1.1.29). The problem I have with that is that this user is required at > build time (during the make install phase). Another problem is that > Debian does not have such a user, although one used to exist temporarily > for hylafax a couple of years ago. Now, hylafax is using uucp, so is > pppd and every communication server package I know of in Debian. > > The problem here seems to be that mgetty's sendfax was running under > used root. Now, if we use uucp (which I have modified mgetty 1.1.30 for > last week), I don't see where the problem is. I don't see the point in > requesting the creation of a user for one little program nor do I judge > this compromise (using uucp) as a security issue. > > Please correct me if I am wrong though. > http://www.securityfocus.com/bid/7302 lists some more information. I don't think Debian has this vulnerability either, but I haven't checked. Under Credits you can find a Gentoo and Redhat advisory. Are there any group or world readable directory issues as is suggested to me? I'm talking about for durring installation *and* in normal use. > ps: now it seems Debian mgetty's sendfax is broken since 1.1.30, but > this is another issue which will be fixed before next week. > Off topic, but related... I've been having trouble with mgetty and vgetty for years now. I had it almost working they way I wanted, but then it answered the phone and wouldn't hang up... after that vgetty or mgetty couldn't answer the phone, even after reboot... but I haven't looked into this for a long time now and that box might have fs problems now. Drew Daniels
