On 8/27/06, Bruce Dubbs <[EMAIL PROTECTED]> wrote:
Robert Connolly wrote:
>
> I agree that only trusted users should be in group root, but being in someones
> group should not allow escalation to taking over the account. It undermines
> the purpose of having groups.
We are saying that it's not really a significant vulnerability. Yes,
it could be used to escalate to a uid root by someone in the root group
if the administrator is stupid and adds a user to the root group. It
would also be stupid to `chmod -R o+w /bin`. We just can't stop every
possible misconfiguration admins can make.
I have to agree with Robert on this one. If something is known to
install with weak permissions, I think we should change them instead
of writing it off as bad packaging. The fix is simple enough.
--
Dan
--
http://linuxfromscratch.org/mailman/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
