Bugtraq mailing list archives

Re: Security problem in ESRI's ArcDoc 7.0.4

From: jwa () nbs nau edu (James W. Abendschan)
Date: Fri, 24 May 1996 19:12:46 -0700


Way back on May 24, 11:05am, "Sven.Wijk" wrote:

The program doesn't seem to be there in the version we are running (7.0.2).
Downgrading might be an alternative solution. Please correct me if i'm wrong!


Downgrading might work, but Arc/Info is so buggy we *need* 7.0.4.  I
just removed the suid bit from fm_fls; it seems to not have any adverse
effects.

A quick search in the ArcInfo directories showed 4 other programs suid to root.
Do we have a potential for problems?


Hmm..

-rwsr-sr-x   1 root     root     1319912 Jan 21 01:31 ./arcexe70/programs/asmaster
-rwsr-sr-x   1 root     root     5871192 Jan 21 01:32 ./arcexe70/programs/asrecovery
-rwsr-sr-x   1 root     root     6059112 Jan 21 01:32 ./arcexe70/programs/asuser
-rwsr-sr-x   1 root     root     1110856 Jan 21 01:32 ./arcexe70/programs/asutility
-rwsr-sr-x   1 root     root     3724136 Jan 29 12:00 ./arcexe70/programs/se
-rwsr-sr-x   1 root     root       24464 Jan 21 01:31 ./arcexe70/programs/wservice
-rwsr-sr-x   1 root     root       20016 Jan 21 01:20 ./arcexe70/programs/abservice
-rwsr-sr-x   1 root     root     3200832 Jan 21 01:20 ./arcexe70/programs/asbuil

I suppose statistically, there must be at least one security bug in
programs this large. Unfortunately (?), all but two of these won't run on our
system (we don't have a license for them.)

Our GIS-people earlier looked at ESRI's product ArcStorm. Its client-server
solution is built on:
  - a bunch of programs suid to root
  - the client must be trusted hosts to the server, by means of the /etc/.rhost
    or /etc/host.equiv file.
This made me very uneasy, and i finaly managed to get them to drop their
ArcStorm-dreams, and to search for some more security minded solution.
It seems that security isn't a high priority issue for ESRI's developers.


Nor is bug-free code, but this isn't alt.esri.bash.bash.bash ..

James


--
James W. Abendschan                                 Email: jwa () nbs nau edu
UNIX Systems Programmer/Administrator               Phone: (520) 556-7466 x238
Colorado Plateau Research Station, Flagstaff, AZ    Voice mail: *516

Current thread:

Security problem in ESRI's ArcDoc 7.0.4 James W. Abendschan (May 23)
- Re: Security problem in ESRI's ArcDoc 7.0.4 Andrew Raphael (May 24)
- <Possible follow-ups>
- Re: Security problem in ESRI's ArcDoc 7.0.4 Sven.Wijk (May 24)
- Re: Security problem in ESRI's ArcDoc 7.0.4 James W. Abendschan (May 24)
- Re: Security problem in ESRI's ArcDoc 7.0.4 James W. Abendschan (May 24)