[KLUG Members] This is a bad one

Adam Tauno Williams members@kalamazoolinux.org
Fri, 19 Oct 2001 16:39:49 -0400 (EDT)

Previous message: [KLUG Members] This is a bad one
Next message: [KLUG Members] This is a bad one
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>I realize there may be more exotic ways to exploit this bug...  but
>>a world-executable set-uid-0 binary? Well, Duh!!!!!!!!!!!!!  That is
>>about as stupid an idea as I have ever seen.  I mean at least
>>restrict execution to a group of "trusted users".
>Yeah, some of those binaries can definately go.  But there still will
>be things like ping, traceroute, passwd, su that will remain suid 0 for a
>long time.

The world executability of ping and traceroute can be removed without and
serious problems.  The group can be changed to a group containing the people who
might need these tools.  At least that's some improvement.

For LDAP and/or Kerberos the passwd command no longer needs suid-ness.  (NOTE:
Redhat leaves it suid when you install either).

su is more of a stumbling block.  The only way to un-suid su is to use Kerberos.

Systems and Network Administrator
Morrison Industries
1825 Monroe Ave NW
Grand Rapids, MI. 49505

Previous message: [KLUG Members] This is a bad one
Next message: [KLUG Members] This is a bad one
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]