Bugtraq mailing list archives
Re: majordomo 1.94.5 does not fix all vulnerabilities
From: barr () VISI COM (Dave Barr)
Date: Tue, 25 Jan 2000 08:54:39 -0600
Brock Sides wrote:
Whereas majordomo 1.94.5 does fix the bug in resend, discovered by Brock Tellier, that permits execution of arbitrary code as user majordomo, it apparently does not fix the other bug in the script majordomo, that permits execution of arbitrary config files as user majordomo:
While people need to certainly be made clear of this, this is entirely intentional. The cleanest fix to the problem of the majordomo programs running arbitrary code as the majordomo user/group is to fix the permissions of the wrapper so it is mode o-rx. (or that the Majordomo home directory is mode mode 750) Any other proposed solutions were fraught with race conditions, partial fixes, and just plain uglinesses. This is clearly explained in the INSTALL document in 1.94.5 and re-emphasized on the Majordomo FAQ. --Dave Majordomo FAQ maintainer
Current thread:
- Re: usual iploggers miss some variable stealth scans David LeBlanc (Jan 18)
- <Possible follow-ups>
- Re: usual iploggers miss some variable stealth scans Hank Leininger (Jan 18)
- Re: usual iploggers miss some variable stealth scans Oliver Friedrichs (Jan 19)
- Re: usual iploggers miss some variable stealth scans Ralf Laue (Jan 21)
- Re: usual iploggers miss some variable stealth scans antirez (Jan 22)
- Re: usual iploggers miss some variable stealth scans Theo de Raadt (Jan 23)
- Security Bulletins Digest Aleph One (Jan 24)
- majordomo 1.94.5 does not fix all vulnerabilities Brock Sides (Jan 24)
- Re: majordomo 1.94.5 does not fix all vulnerabilities Chan Wilson (Jan 25)
- Re: majordomo 1.94.5 does not fix all vulnerabilities Dave Barr (Jan 25)
- Re: majordomo 1.94.5 does not fix all vulnerabilities Olaf Kirch (Jan 25)
- Re: majordomo 1.94.5 does not fix all vulnerabilities Martin Mares (Jan 25)