Bugtraq mailing list archives
Re: Many vulnerabilities in LSF 4.0
From: Greg Reid <greid () platform com>
Date: 7 Dec 2001 11:40:48 -0000
In-Reply-To: <Pine.LNX.4.10.10112051714250.19966-100000 () apollo aci com pl> Since the initial posting on Dec 5, we have been collaborating closely with the author to better understand the issues raised and we are wotking with him to provide a timely solution. Our product teams are working on patches. The issues can be broken down into three areas: o Permission setting on LSF error log If you are using the default LSF 4.2 installation, you would not have any exposure because the LSF error log directory can only be written by root or the LSF administrator. If you are using syslog or if error log is in a directory that is writeable only by root, you would not be exposed. You can check the permission of your LSF error log directory (LSF_LOGDIR parameter in the lsf.conf) to make sure it is not writable by regular users. o setuid binaries In an LSF installation configured with Kerberos, there are only two setuid binaries, lsadmin and badmin, which are administrator commands. You can unset the setuid bits for these two binaries, and run these commands as root to perform administration operation. A patch will address the setuid issues raised in the posting. o Buffer overflows We are doing a thorough investigation into all sources of buffer overflows. Updates to our progress will be posted when available. take care, Greg Greg L. Reid greid () platform com Second-line Technical Support Platform Computing Corporation 3760 14th Avenue, Markham Phone:(905)948-4207 Ontario, Canada, L3R 3T7 Cell :(416)788-4487
Current thread:
- Many vulnerabilities in LSF 4.0 Tomasz Grabowski (Dec 05)
- <Possible follow-ups>
- Re: Many vulnerabilities in LSF 4.0 Greg Reid (Dec 07)