Re: Security Problems in XMCD 2.1

[repayne () jeeves net (repayne () jeeves net)]

On Tue, 26 Nov 1996 16:14:48, Theo Van Dinter said:
> On a side tangent, I grabbed the 2.1 binary (since I don't have the motif
> libraries under Linux...) and installed it.  It's not setuid by default...

Solaris 2, on the other hand, the binary gets installed SUID, but doesn't
seem to require it (removing SUID bit, everything still seems to function,
although database may not be updated for new CD's).

> On a side tangent, the standard rule of thumb is:  "If a program doesn't
> really need SUID/GID, don't give it SUID/GID." ...  Doesn't fix the buffer
> overrun, but it doesn't give the user root either...

I believe that also should go without saying.  The problem, I believe, is
that many systems require that a binary is SUID in order to access the
drives at this level.

                                                                -rob