Re: Immunix OS Security update for lots of temp file problems

[Greg KH <greg () WIREX COM>]

On Thu, Jan 11, 2001 at 02:28:31AM +0100, Tomasz Kloczko wrote:

<info about shadowutils package snipped>

> Sorry but I can't convince with classify this kind bad code as bug. Why ?
> Because if You have (for example) /etc/default world writable this is not
> a bug in (for example) shadow. Other side - if You make any other normaly
> non word writable directory (or file) You can find more this kind "bugs"
> all rest analyse in this point can be droped and also You can try prepare
> *much many* this kind "fixes" on source level and still You will can't
> defense system before simple atacks .. *before fixing permission*.

Yes, you are correct.  Sorry if the wording of the advisary was too
harsh, I didn't mean for it to be that way.

I understand that it's not a problem on properly configured systems, and
understand why you didn't release a updated package (however the code in
the current cvs tree is still broken as of about 24 hours ago, mkstemp
is not a drop in replacement for mktemp.  See the patch that I sent you a
few weeks ago.)

However relying _only_ on the permissions of /etc/default still feels
like a bug to us, that's why we released a version with the mkstemp
patch.  We prefer to have multiple levels of security (like our patch to
inn shows.)

Hope this helps clear up things with regards to this package update.

greg k-h


--
greg@(kroah|wirex).com
http://immunix.org/~greg