Re: remote root qmail-pop with vpopmail advisory and exploit with patch (fwd)

Petr Novotny Wed, 26 Jan 2000 08:19:52 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 26 Jan 00, at 11:10, Russell Nelson wrote:
>  > > Maybe.  Maybe not.  But splogger isn't a setuid program and needn't be 
>  > > run as root (unlike qmail-send).
>  > 
>  > 1. qmail-popup is a setuid program?
> 
> No, howeer syslog is often used by daemons, and some daemons run setuid.

Well, on my system qmail-popup is root. (Not setuid, but is root.) 
/bin/checkpassword needs to be root, and giving it suid is a 
security disaster (su without logging of bad attempts).

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2 -- QDPGP 2.60 
Comment: http://community.wow.net/grt/qdpgp.html

iQA/AwUBOI8sUlMwP8g7qbw/EQIaygCg4IKfGNwDi4RZ6bQZoTbqyn5khR8AoLmq
h8hJAVzkEJ/FOVtlgH1QKd/6
=fflb
-----END PGP SIGNATURE-----
--
Petr Novotny, ANTEK CS
[EMAIL PROTECTED]
http://www.antek.cz
PGP key ID: 0x3BA9BC3F
-- Don't you know there ain't no devil there's just God when he's drunk.
                                                             [Tom Waits]

Re: remote root qmail-pop with vpopmail advisory and exploit with patch (fwd)

Reply via email to