Bugtraq mailing list archives
Re: Linux /usr/bin/gnuplot overflow
From: andrea () E-MIND COM (Andrea Arcangeli)
Date: Fri, 5 Mar 1999 20:03:39 +0100
On Fri, 5 Mar 1999, Hans-Bernhard Broeker wrote:
I strongly second this recommendment. I'll mail S.u.S.E. about it, if no-one else does (but then, they're bound to have someone reading bugtraq, right?).
If you use SuSE and you care a _lot_ about local security you must edit /etc/rc.config and set PERMISSION_SECURITY="paranoid". That way gnuplot would _not_ be suidroot. See the contents of /etc/permissions.paranoid: root@laser:/home/andrea# grep gnuplot /etc/permissions.paranoid # WHY ON HELL was gnuplot suid root !!!!! /usr/bin/gnuplot root.root 755 Using PERMISSION_SECURITY="secure" was just installing tvscreen _not_ suidroot. Using PERMISSION_SECURITY="easy" (and note: you are asked to set "easy" instead of "secure") is very riskious in a envinronment that has to be secured, but you asked for that so don't complain (e.g. about xtvscreen). I just tried once to fix the disinformation on the list about SuSE xtvscreen suidroot but Aleph One didn't accepted my email. I don't know why Aleph One didn't accepted my first email. Aleph? Andrea Arcangeli
Current thread:
- Remote OS Deception? Robert Wick (Mar 03)
- Security Conference Announcement: the Black Hat Briefings '99 Dominique Brezinski (Mar 03)
- Oracle Plaintext Password James Kivisild (Mar 04)
- Linux /usr/bin/gnuplot overflow xnec () INFERNO TUSCULUM EDU (Mar 04)
- Re: Linux /usr/bin/gnuplot overflow Lars Hecking (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow Hans-Bernhard Broeker (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow Andrea Arcangeli (Mar 05)
- buffer overflow in /usr/bin/cancel Josh A. Strickland (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow -- SuSE hasnt fixed lsof Mario Lorenz (Mar 05)
- Update to Microsoft Security Bulletin (MS99-006) aleph1 () UNDERGROUND ORG (Mar 05)
- More Internet Explorer zone confusion Jim Paris (Mar 05)
- Re: More Internet Explorer zone confusion Walt Armour (Mar 08)
- Re: More Internet Explorer zone confusion Jeremy Nimmer (Mar 08)
- Re: More Internet Explorer zone confusion Jim Paris (Mar 08)
- ISAPI Extension vulnerability allows to execute code as SYSTEM Aleph One (Mar 08)
- Re: More Internet Explorer zone confusion David E. Smith (Mar 08)
- Re: Linux /usr/bin/gnuplot overflow Lars Hecking (Mar 05)
- Little exploit for startup scripts (SCO 5.0.4p). leshka (Mar 07)