Bugtraq mailing list archives
Re: majordomo 1.94.5 does not fix all vulnerabilities
From: mj () UCW CZ (Martin Mares)
Date: Tue, 25 Jan 2000 22:52:19 +0100
Hello!
If you think about it, this makes daemon and majordomo accounts interchangeable. If I break daemon, I can become majordomo because of all the holes in it. If I can become majordomo, I can also become daemon--I just have to replace the wrapper program with my own binary (the majordomo directory is owned by majordomo in the default install).
Another possibility is to drop `wrapper' and use a mail queue management daemon with a simple setuid utility for inserting new mail to the queue. See ftp://atrey.karlin.mff.cuni.cz/pub/local/mj/net/usher-1.0.tar.gz for details. Have a nice fortnight -- Martin `MJ' Mares <mj () ucw cz> http://atrey.karlin.mff.cuni.cz/~mj/ Faculty of Math and Physics, Charles University, Prague, Czech Rep., Earth "Anyone can build a fast CPU. The trick is to build a fast system." -- S. Cray
Current thread:
- Re: usual iploggers miss some variable stealth scans, (continued)
- Re: usual iploggers miss some variable stealth scans Hank Leininger (Jan 18)
- Re: usual iploggers miss some variable stealth scans Oliver Friedrichs (Jan 19)
- Re: usual iploggers miss some variable stealth scans Ralf Laue (Jan 21)
- Re: usual iploggers miss some variable stealth scans antirez (Jan 22)
- Re: usual iploggers miss some variable stealth scans Theo de Raadt (Jan 23)
- Security Bulletins Digest Aleph One (Jan 24)
- majordomo 1.94.5 does not fix all vulnerabilities Brock Sides (Jan 24)
- Re: majordomo 1.94.5 does not fix all vulnerabilities Chan Wilson (Jan 25)
- Re: majordomo 1.94.5 does not fix all vulnerabilities Dave Barr (Jan 25)
- Re: majordomo 1.94.5 does not fix all vulnerabilities Olaf Kirch (Jan 25)
- Re: majordomo 1.94.5 does not fix all vulnerabilities Martin Mares (Jan 25)