Re: SCO OpenServer 5.0.5 overwrite /etc/shadow

From: Bela Lubkin (belalat_private)
Date: Tue Oct 12 1999 - 19:56:01 PDT

Next message: Jason Lutz: "Xerox DocuColor 4 LP D.O.S"

Previous message: Dan Foster: "Re: Security of "Virtual Network Computer""
Maybe in reply to: Brock Tellier: "SCO OpenServer 5.0.5 overwrite /etc/shadow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I wrote:

> > Brock Tellier wrote:
> >
> > > Any user may overwrite any file with group auth (i.e. /etc/shadow,
> >
> > [sad tale which does not require repeating]
> >
> > Brock, I would like to publically thank you for the auditing you are
> > doing.  And, I suppose, hang my head in shame at the problems you're
> > finding in the process.
> >
> > You are being heard.  Various people and groups at SCO are scrambling to
> > fix what's been mentioned.  Your discoveries are also prompting various
> > proactive security audit efforts.  I'm not in a position to make any
> > promises about results.  I do know that we have good intentions and will
> > try to deliver on them as well as we can...
> >
> > Not an official SCO representative --

To which Adam "sirsykoat_private" replied:

> beyond the commentary, which should be spared (personally I'd rather see more
> meat and less of the idle flaming), I really think it should be pointed out
> that the auditing efforts at SCO were not "prompted" because of brocks work.
> I know of people who have been at work doing auditing SCO code before the
> recent release of SCO advisories. Many (not all) of which were fixed before
> these advisories made it to bugtraq. Onfortunately it does take time to notify
> the userbase properly, rather than leaving them like sitting ducks after
> announcing to the world wehre potential security problems lay.
>
> I'm not trying to downplay brock's efforts (It's great to see a post other
> than [Subject: program -flag `perl -e "A"x2000;` has a hole! ]. However, it
> is unfair to make it out that SCO could give a rats ass about the security
> of its installed userbase.

Thank you.  I did not mean to imply that no security auditing was done
before Brock's input!  However, it is also true that Brock is pointing
out some areas that have been neglected in the recent past.  I really
*did* mean that the list of bugs he sent is leading to (additional)
auditing efforts beyond what was already being done.

>Bela<

Next message: Jason Lutz: "Xerox DocuColor 4 LP D.O.S"
Previous message: Dan Foster: "Re: Security of "Virtual Network Computer""
Maybe in reply to: Brock Tellier: "SCO OpenServer 5.0.5 overwrite /etc/shadow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:07:29 PDT