On Thu, Jun 24, 1999 at 12:24:00AM -0400, Miscioscia, George M wrote: > Spectrum users, > > This statement is not entirely true... > > "The writable directories include those containing the Spectrum executables, > at least one of which is, and apparently must be, run as "root" during > normal operation of the product." > > Although certain directories are made writable, the SpectroSERVER executable > need only run once as "root". The one Spectrum executable to which I was referring (but didn't name) when I said "apparently must be run as root" is "processd", not "SpectroSERVER". processd, which is an inetd-like process, must be run as root because only a root-owned process can arbitrarily launch child processes that can subsequently setuid(2) to become other users such as "spectrum". I know of no one who normally runs SpectroSERVER as root, and do not claim that it has anything to do with the aforementioned vulnerability. As an aside: My original posting to start this thread went to two mailing lists simultaneously: "spectrumat_private" and "bugtraq.org". Me thinks that some of the replies in this thread may just be the result of folks using a "group" reply feature (replying to all recipients) in their MUA and were not (necessarily) meant for "bugtraq". If nothing else, this can serve as a reminder to myself and others that it may be better to compose seperate messages, one to each list. That way the other lists' address(es) won't appear in the message headers. Dave -- plonkaat_private http://net.doit.wisc.edu/~plonka ARS:N9HZF Madison, WI
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:50:48 PDT