Bugtraq mailing list archives
Re: [Stan Bubrouski <satan () FASTDIAL NET>: Re: rh 6.2 - gid compromises, etc [+ MORE!!!]]
From: fdc () COLUMBIA EDU (Frank da Cruz)
Date: Fri, 23 Jun 2000 11:11:53 EDT
Ya know the sad thing is I pointed out these problems in bugzilla posts the gkermit being sgid uucp I reported two+ weeks ago. No response. My description of the gkermit bug which I reported couple weeks ago can be found here: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11870
Hi all. I'm the author of gkermit, and this is the first I've heard of any of this (your message was forwarded to me by somebody who saw it on a mailing list). The author / support contact address is listed in the usage message and the man page; as a matter of courtesy, it should be included in bug reports. So who said gkermit should be installed suid or sgid? It shouldn't. It does not need privileges for anything. The documetantion says so: The makefile creates a binary called "gkermit". Simply move this binary to the desired directory, such as /usr/local/bin. It needs no special permissions other than read, write, and execute for the desired users and groups: no setuid, no setgid, or any other form of privilege. This is from: http://www.columbia.edu/kermit/gkermit.html
The C-Kermit package that comes on the Powertools CD with Red Hat 6.2 is installed sgid uucp as well and contains a plethera of unchecked buffers than can be used to run commands as gid uucp. Details can be found here: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11723
This one is news too and, again, I'd appreciate receiving reports like this. Of course I'll follow up on it. There might be a couple unchecked buffers, but there is not a plethora of them. A great deal of effort has gone into pre-checking buffer copy operations, and if some places were missed they can be fixed. Frank da Cruz The Kermit Project Columbia University 612 West 115th Street New York NY 10025-7799 USA Email: fdc () columbia edu Web: http://www.columbia.edu/kermit/
Current thread:
- Re: [Stan Bubrouski <satan () FASTDIAL NET>: Re: rh 6.2 - gid compromises, etc [+ MORE!!!]] Frank da Cruz (Jun 23)