On Mon, 1 Jun 1998, Chris Evans wrote: > Most importantly, please note that there are probably plenty of other > security holes in linuxconf apart from this one. This is a really key point. Linuxconf is quite large, and (IMHO) much too large to be properly audited. Linuxconf needs to use some sort of setuid helper program and a reexec mechanism if it ever hopes to be secure. Yes, Red Hat new this before we shipped it. Yes, Red Hat knew we needed to turn of the setuid bit. Yes, Red Hat screwed up :-( Erik ------------------------------------------------------------------------------- | "For the next two hours, VH1 will be filled with foul-mouthed, | | crossdressing Australians. Viewer discretion is advised." | | | | Linux Application Development -- http://www.redhat.com/~johnsonm/lad |
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:56:24 PDT