On Mon, Sep 27, 1999 at 04:35:50PM -0500, Brock Tellier wrote: > We may be missing the point here. This isn't necessarily a nethack > or RH 6.0 vulnerability, it is a GNOME vulnerability and nothing more. > The "redhat" and "nethack" names were purely for demonstration purposes. > If Red Hat is concerned about losing face over an vulnerability like > this, perhaps they should consult those who package Mandrake as "Red Hat > Linux 6.0 with enhancements" and ship it with /etc/redhat-release. We can not take credit OR blame for those enhancements - including nethack - that MandrakeSoft adds to Red Hat Linux. /etc/redhat-release remains for compatibility, as does the RedHat link on the CD-ROM images. Linux Mandrake 6.1 was released before Red Hat Linux 6.1 anyway, so they can't brand the next version as "Red Hat Linux 6.1 with enhancements." You said, "I tried it on (the irony) /usr/games/nethack, which is SGID root by default on RH6.0." This is a false statement. We do not loose face, you do by making utterly false claims. We do not ship any GNOME programs with setuid/gid bits that give anything more than 'games' group access and 'wtmp' group access (which is gnome-pty-helper, not a full GNOME application, therefore immune to your reported bug). So, my point: You can not use your exploit on GNOME applications as shipped in Red Hat Linux 6.0 to gain extra privileges beyond the current user privileges that allow you to do anything beyond changing your high score in gnomine. Matt mswat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:05:33 PDT