Bugtraq mailing list archives
Re: Secuity hole with perl (suidperl) and nosuid mounts on Linux
From: jhi () iki fi (Jarkko Hietaniemi)
Date: Mon, 18 Jan 1999 22:06:53 +0200
Ollivier Robert writes:
According to Jan B. Koum:nosuid Do not allow set-user-identifier or set-group-identifier bits to take effect. Note: this option is worthless if a public available suid or sgid wrapper like suidperl(1) is installed on your system.As I saif to Jan on freebsd-security, I submitted a patch to perl5-porters before 5.004_04 but it was not included in the mainstream Perl because 1. it was too close to release and 2. it was FreeBSD-specific. The fix to this bug/feature has been incorporated in FreeBSD's perl5 port and in the /usr/src/contrib-uted version of Perl since before 2.2.7 so FreeBSD users neeed not to worry about that.
Ditto for NetBSD if one has been using the "packages", and IIRC OpenBSD uses FreeBSD ports system, so all the NeoBSDs have been relatively safe. Of course, by the numbers Linux has been a gaping hole, then.
-- Ollivier ROBERT -=- Eurocontrol EEC/TS -=- Ollivier.Robert () eurocontrol fr The Postman hits! The Postman hits! You have new mail.
-- $jhi++; # http://www.iki.fi/jhi/ # There is this special biologist word we use for 'stable'. # It is 'dead'. -- Jack Cohen
Current thread:
- test-cgi - Re: HTTP REQUEST METHOD flaw monti (Jan 13)
- Re: test-cgi - Re: HTTP REQUEST METHOD flaw Peter van Dijk (Jan 14)
- Re: test-cgi - Re: HTTP REQUEST METHOD flaw Peter van Dijk (Jan 15)
- Re: test-cgi - Re: HTTP REQUEST METHOD flaw Dr. Mudge (Jan 15)
- Secuity hole with perl (suidperl) and nosuid mounts on Linux Brian McCauley (Jan 14)
- Re: Secuity hole with perl (suidperl) and nosuid mounts on Linux Jan B. Koum (Jan 15)
- Re: Secuity hole with perl (suidperl) and nosuid mounts on Linux Ollivier Robert (Jan 18)
- Re: Secuity hole with perl (suidperl) and nosuid mounts on Linux Jarkko Hietaniemi (Jan 18)
- Re: Secuity hole with perl (suidperl) and nosuid mounts on Linux Jan B. Koum (Jan 15)
- Re: test-cgi - Re: HTTP REQUEST METHOD flaw Peter van Dijk (Jan 14)
- security hole in Maximizer Mike Jones (Jan 14)
- AW: test-cgi Adrian Dabrowski (Jan 14)