Bugtraq mailing list archives
Re: HP Security vulnerability in the man command
From: lists () FIPS DE (Philipp Buehler)
Date: Tue, 6 Jun 2000 10:56:31 +0200
Theo de Raadt wrote To BUGTRAQ () SECURITYFOCUS COM:
0) HP *still* insists on NOT setting the sticky bit on world-writeable temporary directories (/tmp and /var/tmp) on default installs of HPUX.If this is the case, then any temporary file which gets reopened is not safe. A *lot* of software does reopening by name.
Handling temporary files is broken in so many scripts .. e.g. I just *wait* for the next broken Oracle installer for such a hole. Other point. I have 2 "default" installed HP-UX 10.20 boxes and I *have* the sticky bit set on /tmp which cures the problem by itself. Well, the behaviour of `man' is not nice anyway. Could the original poster elaborate on his "default" installation? I could only think of installations which are no TCB HP-UX. I will check the change logs, but I don't think the +t depends on that. You *should* use TCB anyway on HP-UX, or how do you want to manage "shadowed" passwords there properly? Or do you really want to live with word readable hashed passwords? ciao -- Philipp Buehler, aka fIpS | sysfive.com GmbH i.G. | BOfH | NUCH | <double-p> %SYSTEM-F-TOOEARLY, please contact your sysadmin at a sensible time. Artificial Intelligence stands no chance against Natural Stupidity.
Current thread:
- Re: An Analysis of the TACACS+ Protocol and its Implementations Juan M. Courcoul (Jun 01)
- Re: An Analysis of the TACACS+ Protocol and its Implementations Eccentric (Jun 01)
- HP Security vulnerability in the man command Jason Axley (Jun 02)
- MDMA Advisory #5: Reading of CGI Scripts under Savant Webserver Drew (Jun 05)
- Re: HP Security vulnerability in the man command Theo de Raadt (Jun 05)
- Re: HP Security vulnerability in the man command Philipp Buehler (Jun 06)
- Password Generation during RH Linux 6.x Installation William R. Lorenz (Jun 07)
- Re: Password Generation during RH Linux 6.x Installation Fabian Kroenner (Jun 08)
- Re: HP Security vulnerability in the man command V. T. Mueller (Jun 07)
- HP Security vulnerability in the man command Jason Axley (Jun 02)
- Re: An Analysis of the TACACS+ Protocol and its Implementations Eccentric (Jun 01)