At 02:41 05.11.98 -0400, Aaron Campbell wrote: >It's hard to tell how serious this is, but I'm sure it could be harmful in >some situations/environments. At any rate, a bug that should definitely be >fixed, especially since xlock is normally set-user-ID root. Instead of making xlock and other programs that need access to /etc/shadow setuid root, you can create a group named shadow, allow this group to read the shadow file and make all those programs setgid shadow. So if someone finds an exploit, all he can get is the shadow password file instead of immediate root access. This is nothing really new, I've tried it with xlock the first time in 1995, so I cannot understand why Unix distributions still ship with the program setuid to root. cu.. Stefan +--------------------------------------------------------------+ | Customer: I'm using Windows '95. Hotline: Ok, got that one. | | Customer: It's not working. Hotline: You already said that. | +--------------------------------------------------------------+
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:27 PDT