ess to it.
>
> ...
> References:
>
> [1] http://www.debian.org/doc/debian-policy/ch-opersys.html#s9.1.2
> [2] http://www.debian.org/doc/debian-policy/ch-files.html#s10.9
(please see http://bugs.debian.org/299007 for more details).
> (gzip is not typically ran in any of these direc
this hearsay, common knowledge, or documented somewhere?
Please note that NFS was only an example how root-equivalent things become
an acute issue. (Admittedly my only current example: you rightfully would
not accept past sendmail bugs.)
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.u
its ownership of /home is "wrong". Its use
and usefulness should be reviewed.
Group staff is said to be useful "for helpdesk types or junior sysadmins",
without warnings that it is in fact root-equivalent.
Use of root-equivalent users and groups may enlarge the attack surfa
olishly) think is safe?
> The problem is that most NFS-servers and most versions of the
> NFS protocol do not perform sufficient validation ...
NFS may be ugly and insecure. Should we banish it from Debian?
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
Scho
ollowing of the
policy, prevents base-files from being secure. Is not the policy at
fault if it mandates insecure settings or actions?
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
--
To UNSUBS
://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
terry,
/export and /export/home must be owned and writable by root only.
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
I have now sent the following to the BugTraq and FullDisclosure mailing
lists, see e.g.
http://www.securityfocus.com/archive/1/393997
http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032804.html
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of
taff feature and privileges:
your machine, your right to run it any way you like; its (in)security is
your responsibility alone. However, you must also grant me the right to
run my machine securely, and should not try to prevent me from doing so
by policy.
Cheers,
Paul Szabo [EMAIL PROTECTED]
.
Yes I noticed your agreement, thanks, and thanks for re-stating it. We seem
to disagree on the urgency only: are there any machines that are currently
affected?
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydne
chine, creates setgid-staff binary, gets root on all.
Is not that realistic?
Should not administrators be warned that giving staff privilege is
equivalent to root? Are not they being misled into thinking that staff is
somehow less dangerous?
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.m
rong, and will suffer the humiliation of being
laughed at; or maybe I am right ...
(I know Matt thinks bugs.debian is public already, but it is quite obscure;
so the general public, Debian users, and other Linux/UNIX maintainers may
still be in the dark.)
Cheers,
Paul Szabo [EMAIL PROTECTED]
ups disk and
tty also.)
(The problem is not Debian-specific. Only the policy is; am not sure if
other distibutions even have a policy.)
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
--
To UNSU
ks,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
CTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
option; but become-any-user-but-root and
become-any-group-but-root remains possible. In the presence of NFS, we (the
local machine) cannot fully protect users; but must still protect root.
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statis
ser in group staff.
>
> I think you did not bother to read my response, since I
> explicitly stated that there is no reason to have /home writable by
> user staff.
I used the name /users, not /home; whether either is group-staff-writable
is irrelevant.
In my example, I properly and
on of privileges ... we should encourage.
Yes, definitely; but we need to do so securely.
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
group tty also? All should be
"squashed" (and the objects owned by root:root instead).
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ght have missed.
I apologize for blacklisting your ISP. Apparently the bounce message from
maths.usyd.edu.au said:
see http://www.dnsbl.sorbs.net/cgi-bin/db?IP=82.65.23.158 or mail [EMAIL
PROTECTED] if genuine
I will now ask my postmaster to whitelist your email address.
Cheers,
Paul Szabo [E
onfiguration. It is your bug if you do not warn against the insecure
settings.
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
e common scenarios, current
arrangements allow root access. (The worst kind of "bug": mandated by
policy...)
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
--
To UNSUBSCRIBE, e
22 matches
Mail list logo
