Bugtraq mailing list archives

Re: Security Problems in XMCD 2.1

From: alan () lxorguk ukuu org uk (Alan Cox)
Date: Wed, 27 Nov 1996 20:10:35 +0000

        However, what attracted me to this package
        was the optional MD5 check on your binary after
        the ACL is verified and before the su/execution.


Better I think to alter your OS binary loader so that it looks for an
extra ELF 'MD5 signed' tag and checks it against a kernel specific key
you load. Any binary not matching it thats run uid < somevalue just
doesnt run setuid. I'd be tempted to extend that to doesnt run so you
had only a small subset of root runnable as root binaries.

Alan

Current thread:

lquerypv fix, (continued)
- - - lquerypv fix Troy Bollinger (Nov 25)
    - Security Problems in XMCD David J. Meltzer (Nov 25)
    - FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr FreeBSD Security Officer (Nov 25)
    - Digital FW2.0 question Peter Dieth (Nov 26)
    - Re: Digital FW2.0 question Alan Cox (Nov 27)
    - Re: FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr Warner Losh (Nov 26)
    - XMCD v2.1 released (was: Security Problems in XMCD) Xmcd Admin (Nov 25)
    - Security Problems in XMCD 2.1 David J. Meltzer (Nov 26)
    - Re: Security Problems in XMCD 2.1 Theo Van Dinter (Nov 26)
    - Re: Security Problems in XMCD 2.1 Jim Dennis (Nov 26)
    - Re: Security Problems in XMCD 2.1 Alan Cox (Nov 27)
    - Administratriva Aleph One (Nov 26)
    - A security issue of a different kind. Alan Brown (Nov 26)
    - BOOTP/DHCP security itudps (Nov 26)
    - Re: BOOTP/DHCP security Alan Cox (Nov 27)
    - Re: A security issue of a different kind. Jon Peatfield (Nov 27)
    - Re: A security issue of a different kind. Piete Brooks (Nov 27)
    - Major Security Vulnerabilities in Remote CD Databases David J. Meltzer (Nov 26)
    - Re: Major Security Vulnerabilities in Remote CD Databases itudps (Nov 26)
    - lquerypv fix Troy Bollinger (Nov 25)
    - HP Bug of the Week! Aleph One (Nov 23)

(Thread continues...)