> > I'd like to create updating dns and user and password under web. > > but I don't have suid so I cannot change the file or running binary file > > that use root permision... > > let's have that little coffee break moment here and think about this. > > Have you throught about the 'security' issues involved here???
Here is an exploit: 1. Cracker finds out the DNS password by sniffing your IP traffic, as you just passed it plain text. 2. Then he changes the IP address to point to one of "his" servers, and redirects from that server to what it should be. This is an "man in the middle" attack. 3. Now, the next person who logs into another machine using weak protocols (e.g. telnet/rsh) gives away the password to their account. 4. Cracker laughs heavily, and changes back the DNS information. 5. Cracker logs into that user's account, ready to set off to attack another machine. Basically, DNS contains critical information that system security depends on. If you need IP's that change (self allocating) then use dynamic IPs, if you need to allow users to change their OWN IP ONLY then this form scheme would be okay - if it's encrypted at 128bit. Just don't let one "superuser" be able to change everything using a non-encrypted password, okay? END_SECURITY_WARNING Jonathan Paton __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
