Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x

[lcamtuf () IDS PL (Michal Zalewski)]

On Wed, 25 Aug 1999, Michael K. Johnson wrote:

> To change this behaviour in the way Michal wants would require that
> all console-switching activity be controlled only by root.  This would
> have a detrimental effect on security, because it would increase the
> number of setuid applications on the system.  So this is not a kernel
> bug, and since the behaviour Michal wants would have to be enforced in
> the kernel and vlock is not capable of changing it, it is not a vlock
> bug either.

I did not agree it is not a bug, because it allows breaking security
scheme offered by vlock. But, for sure, I agree it's not a kernel bug, and
not a vlock bug neither... Noone owns this vulnerability, but it is a
vulnerability, as one of security mechanisms can be bypassed somehow :)

_______________________________________________________________________
Michal Zalewski [lcamtuf () ids pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]