[KLUG Members] This is a bad one
Kevin Mitchell
members@kalamazoolinux.org
Fri, 19 Oct 2001 16:30:15 -0400 (EDT)
> I realize there may be more exotic ways to exploit this bug... but a
> world-executable set-uid-0 binary? Well, Duh!!!!!!!!!!!!! That is
> about as stupid an idea as I have ever seen. I mean at least restrict
> execution to a group of "trusted users".
Yeah, some of those binaries can definately go. But there still will be
things like ping, traceroute, passwd, su that will remain suid 0 for a
long time.
Kevin