Bugtraq mailing list archives
Re: SECURITY: Red Hat Linux 5.1 linuxconf bug
From: sergio () pratonext it (Sergio Ballestrero)
Date: Sat, 30 May 1998 11:54:56 +0200
On Thu, 28 May 1998, Michael K. Johnson wrote:
In Red Hat Linux 5.1, linuxconf version 1.11r11-rh2 was inadvertantly setuid root. This creates the potential for security holes that allow attackers to gain root access to your machine. (Users of Red Hat Linux 5.0 and earlier are NOT affected, as linuxconf was not included with any previous version of Red Hat Linux.) If you have installed Red Hat Linux 5.1, you can immediately remove the danger by logging in as root and running the command: chmod -s /bin/linuxconf We also recommend that you update to the latest version of linuxconf, linuxconf-1.11r11-rh3, which fixes this bug. Thanks to BUGTRAQ for finding and reporting this.
the binary RPMs have always been shipped with suid linuxconf. Does this announce mean that linuxconf has been found insecure, so that is MUST not be used suid ? I haven't seen anything about linuxconf on BUGTRAQ, apart from your posting. The fact is, linuxconf's most valuable feature, to me, is the possibility to delegate user administration. If i drop SUID, i cannot do that anymore - right ? And i cannot use remote admin, too. So, if linuxconf is so insecure that one cannot dare having it suid, it almost becomes useless. Could you (Michael, Jacques) please clarify about Linuxconf security ? It is fundamental to know whether the security risks are only from local users, or also from external attacks. Is there somebody doing security auditing on Linuxconf ? Cheers, Sergio ------------------------------------------------------------------------- Sergio Ballestrero PratoNeXt s.r.l. System Manager Via Giotto 27 59100 Prato sergio () pratonext it Tel 604350 - Fax 604454 -------------------------------------------------------------------------
Current thread:
- Re: SECURITY: Red Hat Linux 5.1 linuxconf bug Sergio Ballestrero (May 30)
- <Possible follow-ups>
- Re: SECURITY: Red Hat Linux 5.1 linuxconf bug Jim Dennis (Jun 01)
- Re: SECURITY: Red Hat Linux 5.1 linuxconf bug Sergio Ballestrero (Jun 01)
- Re: SECURITY: Red Hat Linux 5.1 linuxconf bug Matthieu Araman (Jun 02)