Bugtraq mailing list archives
Re: Immunix OS Security update for lots of temp file problems
From: Greg KH <greg () WIREX COM>
Date: Wed, 10 Jan 2001 17:47:39 -0800
On Thu, Jan 11, 2001 at 02:28:31AM +0100, Tomasz Kloczko wrote: <info about shadowutils package snipped>
Sorry but I can't convince with classify this kind bad code as bug. Why ? Because if You have (for example) /etc/default world writable this is not a bug in (for example) shadow. Other side - if You make any other normaly non word writable directory (or file) You can find more this kind "bugs" all rest analyse in this point can be droped and also You can try prepare *much many* this kind "fixes" on source level and still You will can't defense system before simple atacks .. *before fixing permission*.
Yes, you are correct. Sorry if the wording of the advisary was too harsh, I didn't mean for it to be that way. I understand that it's not a problem on properly configured systems, and understand why you didn't release a updated package (however the code in the current cvs tree is still broken as of about 24 hours ago, mkstemp is not a drop in replacement for mktemp. See the patch that I sent you a few weeks ago.) However relying _only_ on the permissions of /etc/default still feels like a bug to us, that's why we released a version with the mkstemp patch. We prefer to have multiple levels of security (like our patch to inn shows.) Hope this helps clear up things with regards to this package update. greg k-h -- greg@(kroah|wirex).com http://immunix.org/~greg
Current thread:
- Immunix OS Security update for lots of temp file problems Greg KH (Jan 10)
- Message not available
- Re: Immunix OS Security update for lots of temp file problems Greg KH (Jan 10)
- Message not available
- Re: Immunix OS Security update for lots of temp file problems Greg KH (Jan 10)
- Re: Immunix OS Security update for lots of temp file problems Greg KH (Jan 10)