Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Secuity hole with perl (suidperl) and nosuid mounts on Linux

From: jhi () iki fi (Jarkko Hietaniemi)
Date: Mon, 18 Jan 1999 22:06:53 +0200

Ollivier Robert writes:

According to Jan B. Koum:

             nosuid Do not allow set-user-identifier or
             set-group-identifier bits to take effect.  Note: this option
             is worthless if a public available suid or sgid wrapper like
             suidperl(1) is installed on your system.


As I saif to Jan on freebsd-security, I submitted a patch to perl5-porters
before 5.004_04 but it was not included in the mainstream Perl because
1. it was too close to release and 2. it was FreeBSD-specific.

The fix to this bug/feature has been incorporated in FreeBSD's perl5 port
and in the /usr/src/contrib-uted version of Perl since before 2.2.7 so
FreeBSD users neeed not to worry about that.


Ditto for NetBSD if one has been using the "packages", and IIRC
OpenBSD uses FreeBSD ports system, so all the NeoBSDs have been
relatively safe.  Of course, by the numbers Linux has been a gaping
hole, then.


--
Ollivier ROBERT -=- Eurocontrol EEC/TS -=- Ollivier.Robert () eurocontrol fr
The Postman hits! The Postman hits! You have new mail.


--
$jhi++; # http://www.iki.fi/jhi/
        # There is this special biologist word we use for 'stable'.
        # It is 'dead'. -- Jack Cohen
Previous By Date Next
Previous By Thread Next

Current thread: