Bugtraq mailing list archives
Re: [lids] bug
From: Georg Zoeller <zoeller () MEFFERT DE>
Date: Fri, 4 Aug 2000 16:53:38 +0200
/lidadm -S -- -LIDS seems to contain this bug too, in a way: --------------- (user2 is a standard non root user!) login.... .................................................................... bash$ joe /etc/passwd (file is shown as readonly, cannot be modified) bash$ su Password: [root@penguin user]# /sbin/lidsadm -S -- -LIDS SWITCH enter password: [root@penguin user]#su user2 bash$ joe /etc/passwd (file is not read-only, can be modfied) bash$ joe /etc/fstab (file is not read only, can be modified) bash$ ls -l /etc/fstab -rw-r--r-- 1 root root 684 Jul 24 16:28 /etc/fstab bash$ exit [root@penguin user]#exit bash$ joe /etc/passwd (file is shown as readonly, cannot be modified) ...................................................................... Seems to me that the -LIDS shell does not drop the root privileges when switching to non-root accounts. regards georg ----- Original Message ----- From: "Kevin H Kamel" <kamelkev () glue umd edu> To: <lids () egroups com> Sent: Friday, August 04, 2000 4:27 PM Subject: Re: [lids] bug
Ive never issued -LIDS_GLOBAL either. I usually just do -LIDS... does -LIDS do this same thing? I thought that -LIDS would only allow that particular session to be running as UID=0, but you need to be root to turn it off anyway, so that doesnt really matter... why would you run this -LIDS_GLOBAL? From the security standpoint maybe that shouldnt exist at all? -Kevin On Fri, 4 Aug 2000, Georg Zoeller wrote:... granted, it is very seldom that I boot with /security=0 (and if I do i'll disconnect from the net), but from time to time you'll need to issue a -LIDS_GLOBAL to test some things and then it really gets ugly. What is severe if not having all users running as kind
of
uid=0 on your system? regards georg ----- Original Message ----- From: "Kevin Kamel" <kamelkev () glue umd edu> To: <lids () egroups com> Sent: Friday, August 04, 2000 4:07 PM Subject: [lids] bugYou know the bug is a problem, but I wouldn't exactly quantify it as "severe". If your system is set up properly you would need to pass the security=0 from console to get the bug to happen. How often do youactuallydo this? I have *never* had to boot the kernel with security=0, I
thought
that was just in emergency cases when your really screwed up your configuration. So if you have the "buggy" version right now, just makesureyou disconnect from the net if your going to do security=0, short of
that
you should be ok... -Kevin Kamel--------------------------------------------------------------------<e|- Download iPlanet Web Server, FastTrack Edition 4.1 for FREE, and start publishing dynamic web pages today! http://click.egroups.com/1/7540/13/_/18396/_/965399265/ --------------------------------------------------------------------|e>-
Current thread:
- Re: [lids] bug Georg Zoeller (Aug 04)