On Mon, 28 Aug 2006 01:24:13 +0200, Robert Connolly wrote:
> I don't know how many of you feel comfortable with an suid-root program being
> group writtable.
Just FYI: /usr/bin/r{cp,login,sh} are suid-root and group-writable as
well.
Tim
--
http://linuxfromscratch.org/mailman/listinfo/lfs-dev
F
On Wednesday 30 August 2006 01:45, Alex Merry wrote:
> On Tue, Aug 29, 2006 at 11:33:26PM +0400, Vladimir A. Pavlov wrote:
> > I mean a user able to read a file can disassemble it and find
> > security holes in it.
>
> Although it would probably be easier to download the sources and look
> at those
On Tue, Aug 29, 2006 at 11:33:26PM +0400, Vladimir A. Pavlov wrote:
> I mean a user able to read a file can disassemble it and find security
> holes in it.
Although it would probably be easier to download the sources and look at
those...
Alex :-)
--
Pippin
Computer Monkey to the Pelican
www.ox
On Tuesday 29 August 2006 00:20, thorsten wrote:
> I even would go one step further, a normal user is not able to
> troubleshoot network problems so why should he pe able to ping?
> chmod 0711 /bin/ping
1. No, actually. For example, I work as a usual user and when a browser
become too slow I firs
As-is the /bin/ping permissions in LFS is not exploitable. You have to go out
of your way to make it so, and the same could be said about countless other
configurations. Changing the permission on /bin/ping wouldn't have any affect
on the security of the vanilla system, and only serves a "what i
Robert Connolly wrote:
> I don't know how many of you feel comfortable with an suid-root program being
> group writtable. I suggest we add:
>
> sed 's/4775/4755/' -i ping/Makefile.in
>
> to the LFS book.
Did I mention that the ping in inetutils sucks? There is a much better
on in the iputils p
Vladimir A. Pavlov wrote:
> On Monday 28 August 2006 03:24, Robert Connolly wrote:
>> sed 's/4775/4755/' -i ping/Makefile.in
>
> First, I think the shown way is a hack a little. It's better to do the
> following after installation:
>
> chmod 4711 /bin/ping
>
> Second, shouldn't it be 4711 rathe
Vladimir A. Pavlov wrote:
> On Monday 28 August 2006 03:24, Robert Connolly wrote:
>> sed 's/4775/4755/' -i ping/Makefile.in
>
> First, I think the shown way is a hack a little. It's better to do the
> following after installation:
>
> chmod 4711 /bin/ping
>
> Second, shouldn't it be 4711 rathe
On 8/28/06, Randy McMurchy <[EMAIL PROTECTED]> wrote:
Dan Nicholson wrote these words on 08/28/06 08:52 CST:
> I have to agree with Robert on this one. If something is known to
> install with weak permissions, I think we should change them instead
> of writing it off as bad packaging. The fix is
Dan Nicholson wrote these words on 08/28/06 08:52 CST:
> I have to agree with Robert on this one. If something is known to
> install with weak permissions, I think we should change them instead
> of writing it off as bad packaging. The fix is simple enough.
The argument is not the permissions of
On Monday 28 August 2006 03:24, Robert Connolly wrote:
> sed 's/4775/4755/' -i ping/Makefile.in
First, I think the shown way is a hack a little. It's better to do the
following after installation:
chmod 4711 /bin/ping
Second, shouldn't it be 4711 rather than 4755? The read-by-others access
to
On 8/27/06, Bruce Dubbs <[EMAIL PROTECTED]> wrote:
Robert Connolly wrote:
>
> I agree that only trusted users should be in group root, but being in someones
> group should not allow escalation to taking over the account. It undermines
> the purpose of having groups.
We are saying that it's not
Robert Connolly wrote:
> On Sunday 27 August 2006 23:41, Randy McMurchy wrote:
>> Robert Connolly wrote these words on 08/27/06 22:20 CST:
>>> All I'm trying to say is that adding someone to group root should not be
>>> exploitable, at least not without further misconfiguration.
>> And all Bruce (a
On Sunday 27 August 2006 23:41, Randy McMurchy wrote:
> Robert Connolly wrote these words on 08/27/06 22:20 CST:
> > All I'm trying to say is that adding someone to group root should not be
> > exploitable, at least not without further misconfiguration.
>
> And all Bruce (as well as myself) is sayi
Robert Connolly wrote these words on 08/27/06 22:20 CST:
> All I'm trying to say is that adding someone to group root should not be
> exploitable, at least not without further misconfiguration.
And all Bruce (as well as myself) is saying is that *nobody* should
be added to the root group unless t
All I'm trying to say is that adding someone to group root should not be
exploitable, at least not without further misconfiguration.
robert
On Sunday 27 August 2006 21:37, Bruce Dubbs wrote:
> Robert Connolly wrote:
> > It's an open door for someone in group root to escalate their privileges.
>
Robert Connolly wrote:
> It's an open door for someone in group root to escalate their privileges.
> Anyone in group root can copy /bin/bash to /bin/ping.
Its a pretty stupid administrator that puts *anyone* in the root group.
I've never seen it, but it could be done.
-- Bruce
--
http://linu
It's an open door for someone in group root to escalate their privileges.
Anyone in group root can copy /bin/bash to /bin/ping.
robert
On Sunday 27 August 2006 21:16, Bruce Dubbs wrote:
> Robert Connolly wrote:
> > I don't know how many of you feel comfortable with an suid-root program
> > being
Robert Connolly wrote:
> I don't know how many of you feel comfortable with an suid-root program being
> group writtable.
It may not be optimal, but the group is root so it really isn't a
security vulnerability. I admit that other distros like RedHat change
it to 4755.
Perhaps this should be s
I don't know how many of you feel comfortable with an suid-root program being
group writtable. I suggest we add:
sed 's/4775/4755/' -i ping/Makefile.in
to the LFS book.
robert
pgpyM2Y29kbqy.pgp
Description: PGP signature
--
http://linuxfromscratch.org/mailman/listinfo/lfs-dev
FAQ: http://www
20 matches
Mail list logo
