Previously Anthony Fok wrote:
Unfortunately, the suggestion chown root.floppy and chmod [12]754
won't work either because fdmount.c has this check in it:
if (geteuid()!=0)
die(Must run with EUID=root);
You wouldn't believe how many programs have a check like this and still
work
Previously John Hasler wrote:
As I noted, there are no calls to system or its ilk.
That's good.
I know how to fix the sprintf's. My plan now is to analyze the path
followed by strings from input to consumption.
It might be much easier to just replace them with snprintf's. Also check
for
Wichert Akkerman writes:
It might be much easier to just replace them with snprintf's.
That is what I meant when I said I know how to fix them.
Also check for things like strcpy()...
I'd rather trace out the input string handling than just grep for dangerous
functions. There isn't that
Hello Ben, Avery and Wichert!
On Wed, Jan 20, 1999 at 12:50:59AM +0100, Wichert Akkerman wrote:
Previously Anthony Fok wrote:
As the Slink deep freeze and release are impending, I would like to ask your
advice: Should I follow the suggestion given by the bug reporter Thomas
Roessler?
I
AF == Anthony Fok [EMAIL PROTECTED] writes:
AF if (geteuid()!=0) die(Must run with EUID=root);
AF I am a little bit tempted to comment that line out, but it's
AF probably there for a reason, and I am definitely not qualified
AF to hack fdmount.c, so for now I should probably
Ben Collins wrote:
Any program that is suid or sgid for no reason what-so-ever is always a
reason for a bug report, especially if it's suid root...we need some
automatic catch for new packages that have suid or sgid binaries in
them, or call suidregister.
Lintian can serve as a check for the
I wrote:
Would you say the same of daemons that run as root?
Avery Pennarun writes:
Coming from you, that sounds like a trick question.
It isn't. My chrony package includes a daemon that runs as root. I've
looked it over and don't see any holes, but I'm not a security expert.
--
John Hasler
Previously John Hasler wrote:
It isn't. My chrony package includes a daemon that runs as root. I've
looked it over and don't see any holes, but I'm not a security expert.
Have you tried running it as another user?
Wichert.
--
Wichert writes:
Have you tried running it [chronyd] as another user?
No, but it doesn't seem too likely that a program that adjusts the system
clock would work too well running as 'nobody'. It can also be an ntp
server, though that is turned off in the default configuration.
I looked around in
Previously John Hasler wrote:
I looked around in the code a bit more and found a few dubious looking
sprintf's. What else should I look for? I already checked for 'system'
and 'execve'.
Please do so. If you don't feel confident enough you can submit it to the
security team. We'll take a look
I wrote:
I looked around in the code a bit more and found a few dubious looking
sprintf's. What else should I look for? I already checked for 'system'
and 'execve'.
Wichert Akkerman writes:
Please do so.
Please do *what*?
As I noted, there are no calls to system or its ilk. I know how
Previously Anthony Fok wrote:
As the Slink deep freeze and release are impending, I would like to ask your
advice: Should I follow the suggestion given by the bug reporter Thomas
Roessler?
I think so. For people who want to mount floppies without being root
you can also use a line in
On Tue, Jan 19, 1999 at 05:16:01PM -0500, Avery Pennarun wrote:
When the docs for a setuid program warn you not to trust its security
then be afraid, be very afraid. It shouldn't be automatically setuid in
Debian until _some_ security-conscious person has audited it carefully.
On a related
Avery Pennarun wrote:
When the docs for a setuid program warn you not to trust its security
then be afraid, be very afraid. It shouldn't be automatically setuid in
Debian until _some_ security-conscious person has audited it carefully.
Would you say the same of daemons that run as root?
--
On Wed, Jan 20, 1999 at 02:18:59PM +1300, Robert Donn wrote:
I'm not sure whether this violates policy or not (and thus whether to file a
bug against it) - but Policy does not require postinsts using
chmod/suidregister to give message or query, then perhaps it
needs to be added...
Any program
On Tue, Jan 19, 1999 at 08:56:11PM -0600, John Hasler wrote:
Avery Pennarun wrote:
When the docs for a setuid program warn you not to trust its security
then be afraid, be very afraid. It shouldn't be automatically setuid in
Debian until _some_ security-conscious person has audited it
Hello,
I received the following bug report about fdutils a while ago, but haven't
had time to deal with it yet. Basically, the bug reporter is concerned that
the suid'ed fdmount could be insecure, because fdmount's manpage warns the
user not to rely on it being secure.
So far, my suid'ed
On Tue, Jan 19, 1999 at 02:29:44PM -0700, Anthony Fok wrote:
As the Slink deep freeze and release are impending, I would like to ask your
advice: Should I follow the suggestion given by the bug reporter Thomas
Roessler? If so, should I fix this bug before Slink is out? I am kind of
busy with
On Tue, Jan 19, 1999 at 04:43:37PM -0500, Ben Collins wrote:
On Tue, Jan 19, 1999 at 02:29:44PM -0700, Anthony Fok wrote:
As the Slink deep freeze and release are impending, I would like to ask
your advice: Should I follow the suggestion given by the bug reporter
Thomas Roessler? If so,
19 matches
Mail list logo
