Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible bufferoverflow condition in lpr, xterm and xload

From: sopwith () redhat com (Elliot Lee)
Date: Tue, 13 Aug 1996 13:56:43 -0400

On Tue, 13 Aug 1996, Mike Acar wrote:


It might be worth noting that when I ran tiger on my bastardized and
upgraded Red Hat 2.0 system, it produced a 7 MB output. Mostly this was
complaining about lots of things being group bin, root, etc writable. Or
perhaps this is no surprise to anybody. To Red Hat's credit, none of the
s[ug]id binaries they provide is writable by anybody but the owner.


1. 2.0 is ancient - if you are still running it w/o upgrades (which I
doubt, from the "bastardized" part :) there are worse security holes to
worry about.

2. The default setup for Red Hat is to have each person in their own
group, and have a umask of 002. When you change things, g+w permissions
got added, and tiger squawked. The pro's and con's of the individual group
scheme as opposed to the UNIX norm are arguable, but you shouldn't have to
worry about any additional security problems with it (?)

 --==== Elliot Lee = <sopwith () redhat com> == Red Hat Software ====--
"Usenet is like a herd of performing elephants with diarrhea; massive,
 difficult to redirect, awe-inspiring, entertaining, and a source of
 mind-boggling amounts of excrement when you least expect it."
Previous By Date Next
Previous By Thread Next

Current thread: