Bugtraq mailing list archives
Re: Security problem in ESRI's ArcDoc 7.0.4
From: jwa () nbs nau edu (James W. Abendschan)
Date: Fri, 24 May 1996 19:12:46 -0700
Way back on May 24, 11:05am, "Sven.Wijk" wrote:
The program doesn't seem to be there in the version we are running (7.0.2). Downgrading might be an alternative solution. Please correct me if i'm wrong!
Downgrading might work, but Arc/Info is so buggy we *need* 7.0.4. I just removed the suid bit from fm_fls; it seems to not have any adverse effects.
A quick search in the ArcInfo directories showed 4 other programs suid to root. Do we have a potential for problems?
Hmm.. -rwsr-sr-x 1 root root 1319912 Jan 21 01:31 ./arcexe70/programs/asmaster -rwsr-sr-x 1 root root 5871192 Jan 21 01:32 ./arcexe70/programs/asrecovery -rwsr-sr-x 1 root root 6059112 Jan 21 01:32 ./arcexe70/programs/asuser -rwsr-sr-x 1 root root 1110856 Jan 21 01:32 ./arcexe70/programs/asutility -rwsr-sr-x 1 root root 3724136 Jan 29 12:00 ./arcexe70/programs/se -rwsr-sr-x 1 root root 24464 Jan 21 01:31 ./arcexe70/programs/wservice -rwsr-sr-x 1 root root 20016 Jan 21 01:20 ./arcexe70/programs/abservice -rwsr-sr-x 1 root root 3200832 Jan 21 01:20 ./arcexe70/programs/asbuil I suppose statistically, there must be at least one security bug in programs this large. Unfortunately (?), all but two of these won't run on our system (we don't have a license for them.)
Our GIS-people earlier looked at ESRI's product ArcStorm. Its client-server solution is built on: - a bunch of programs suid to root - the client must be trusted hosts to the server, by means of the /etc/.rhost or /etc/host.equiv file. This made me very uneasy, and i finaly managed to get them to drop their ArcStorm-dreams, and to search for some more security minded solution. It seems that security isn't a high priority issue for ESRI's developers.
Nor is bug-free code, but this isn't alt.esri.bash.bash.bash .. James -- James W. Abendschan Email: jwa () nbs nau edu UNIX Systems Programmer/Administrator Phone: (520) 556-7466 x238 Colorado Plateau Research Station, Flagstaff, AZ Voice mail: *516
Current thread:
- Security problem in ESRI's ArcDoc 7.0.4 James W. Abendschan (May 23)
- Re: Security problem in ESRI's ArcDoc 7.0.4 Andrew Raphael (May 24)
- <Possible follow-ups>
- Re: Security problem in ESRI's ArcDoc 7.0.4 Sven.Wijk (May 24)
- Re: Security problem in ESRI's ArcDoc 7.0.4 James W. Abendschan (May 24)
- Re: Security problem in ESRI's ArcDoc 7.0.4 James W. Abendschan (May 24)