Bugtraq mailing list archives
Re: SECURITY: Red Hat Linux 5.1 linuxconf bug (fwd)
From: ewt () REDHAT COM (Erik Troan)
Date: Tue, 2 Jun 1998 09:02:22 -0400
On Mon, 1 Jun 1998, Chris Evans wrote:
Most importantly, please note that there are probably plenty of other security holes in linuxconf apart from this one.
This is a really key point. Linuxconf is quite large, and (IMHO) much too large to be properly audited. Linuxconf needs to use some sort of setuid helper program and a reexec mechanism if it ever hopes to be secure. Yes, Red Hat new this before we shipped it. Yes, Red Hat knew we needed to turn of the setuid bit. Yes, Red Hat screwed up :-( Erik ------------------------------------------------------------------------------- | "For the next two hours, VH1 will be filled with foul-mouthed, | | crossdressing Australians. Viewer discretion is advised." | | | | Linux Application Development -- http://www.redhat.com/~johnsonm/lad |
Current thread:
- Re: SECURITY: Red Hat Linux 5.1 linuxconf bug (fwd) Chris Evans (Jun 01)
- Re: SECURITY: Red Hat Linux 5.1 linuxconf bug (fwd) Erik Troan (Jun 02)