Re: DSA 557-1 and CAN-2004-0564

To: debian-security@lists.debian.org
Cc: joey@infodrom.org, cve@mitre.org
Subject: Re: DSA 557-1 and CAN-2004-0564
From: "David F. Skoll" <dfs@roaringpenguin.com>
Date: Mon, 4 Oct 2004 09:55:13 -0400 (EDT)
Message-id: <[🔎] Pine.LNX.4.58.0410040952350.21496@shishi.roaringpenguin.com>

Hi,

The rp-pppoe "security advisory" is totally bogus.  rp-pppoe is
not meant to run SUID-root, and nowhere in the documentation is this
recommended.

You might as well post a security advisory about "ls" because it doesn't
drop privileges if it's installed SUID-root.

Arguably, rp-pppoe should set its user-ID to "nobody" after it has opened
the raw sockets.  It wasn't designed this way because pppd runs as root
all the time, and pppd is orders of magnitude more complex than rp-pppoe,
so I didn't see much security advantage.

Regards,

David.

Reply to:

Follow-Ups:
- Re: DSA 557-1 and CAN-2004-0564
  - From: Martin Schulze <joey@infodrom.org>

Prev by Date: Re: wget for sarge update
Next by Date: Re: DSA 557-1 and CAN-2004-0564
Previous by thread: No more money worries
Next by thread: Re: DSA 557-1 and CAN-2004-0564
Index(es):
- Date
- Thread