[snip]
> What happens if there's a security hole in getpwnam(), on a UNIX
> system that allows file giveaways?
Then the whole system is fucked up, and qmail can't do quite a little
about that.
> With this patch, the attacker breaks into qmail-getpw, then changes
> the owner of /var/qmail/owners/uidp to root, then breaks into root,
> then has complete control over your system. The security barrier
> around root has been breached.
Which could - in that hypothetic case - be achieved by zillion other
means.
>
> When's the last time you reconfigured your system uids? You have to
> take the system down and do a massive file conversion. Why is it
> such a big deal to reinstall qmail on these rare occasions?
See Dan, for you "install" means
$less INSTALL.*
$vi some_cfg_files
$make
$su -
#make install check
or whatever the stuff is really called.
For me install means rpm -ivh qmail*rpm. That's one of a hell of a
difference. I don't recompile every single thing (hell, I could
even live without a gcc installed) I install - I just tend to trust
the PGP signatures, MD5 checksums and RedHat fixing holes ASAP.
--
Petr Novotny, ANTEK CS
[EMAIL PROTECTED]
http://www.antek.cz
-- Don't you know there ain't no devil there's just God when he's drunk.
[Tom Waits]
