Bugtraq mailing list archives
Re: Cobalt RaQ 3 security hole?
From: listuser () SEIFRIED ORG (Kurt Seifried)
Date: Fri, 21 Jul 2000 14:05:06 -0600
If my experience of Cobalt RaQ's is anything to go by admserv needs root permissions to execute some of the scripts that come standard with the web interface. This allows designated user accounts to create new users in /etc/passwd, and so fourth. The errors you are getting running it as an ordinary user are due to insufficient privileges. Whilst running admserv as root isn't perhaps that secure, it is essential to the function of the web interface, one can only hope that Cobalts scripts that run through admserv don't have any holes.
Wouldn't it be a LOT more secure if the webserver ran as nobody and the scripts that needed to run as root, well ran as root (and had properly paranoid input checking). What you are saying is correct, but it is obvious that Cobalt took the easy way out on this one and either needs to do quite a bit of work to fix it, or can leave the status quo, at which point it becomes inevitable that someone will find a flaw that they can exploit and boom, every RaQ 3 now has an extra root account or five. Letting vendors get away with this kind of stuff is exactly why we're in such a mess.
Thanks and best regards, Francis
-Kurt
Current thread:
- Cobalt RaQ 3 security hole? Chad Day (Jul 18)
- Re: Cobalt RaQ 3 security hole? Joshua Ellis (Jul 20)
- Re: Cobalt RaQ 3 security hole? Brian Behlendorf (Jul 21)
- Microsoft Security Bulletin (MS00-045) Microsoft Product Security (Jul 20)
- [ANNOUNCE] INN 2.2.3 available patrick () PINE NL (Jul 21)
- Re: Cobalt RaQ 3 security hole? Francis [loaded.net] (Jul 21)
- Re: Cobalt RaQ 3 security hole? Kurt Seifried (Jul 21)
- Re: Cobalt RaQ 3 security hole? Peter W (Jul 21)
- Re: Cobalt RaQ 3 security hole? Edward S. Marshall (Jul 24)
- Re: Cobalt RaQ 3 security hole? Wichert Akkerman (Jul 22)
- Re: Cobalt RaQ 3 security hole? Kurt Seifried (Jul 21)
- Re: Cobalt RaQ 3 security hole? Joshua Ellis (Jul 20)
- Sendmail filter rule to stop Outlook exploit Koos van den Hout (Jul 21)
- <Possible follow-ups>
- Re: Cobalt RaQ 3 security hole? Forrest J. Cavalier III (Jul 25)