Re: majordomo 1.94.5 does not fix all vulnerabilities

From: Martin Mares (mjat_private)
Date: Tue Jan 25 2000 - 13:52:19 PST

Next message: Mudge: "Re: S/Key & OPIE Database Vulnerability"

Previous message: Ray Beaulieu: "Re: Nortel Contivity Vulnerability: typo"
Maybe in reply to: Brock Sides: "majordomo 1.94.5 does not fix all vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello!

> If you think about it, this makes daemon and majordomo accounts
> interchangeable. If I break daemon, I can become majordomo because of
> all the holes in it. If I can become majordomo, I can also become
> daemon--I just have to replace the wrapper program with my own binary
> (the majordomo directory is owned by majordomo in the default install).

   Another possibility is to drop `wrapper' and use a mail queue management
daemon with a simple setuid utility for inserting new mail to the queue.
See ftp://atrey.karlin.mff.cuni.cz/pub/local/mj/net/usher-1.0.tar.gz
for details.

				Have a nice fortnight
--
Martin `MJ' Mares   <mjat_private>   http://atrey.karlin.mff.cuni.cz/~mj/
Faculty of Math and Physics, Charles University, Prague, Czech Rep., Earth
"Anyone can build a fast CPU. The trick is to build a fast system." -- S. Cray

Next message: Mudge: "Re: S/Key & OPIE Database Vulnerability"
Previous message: Ray Beaulieu: "Re: Nortel Contivity Vulnerability: typo"
Maybe in reply to: Brock Sides: "majordomo 1.94.5 does not fix all vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:31:34 PDT