Bug#4465: security hole in netdiag package
Peter Tobias writes:
>
> Package: netdiag
> Version: 0.2-3
>
> The postinst script copies the tcpdump binary from the tcpdump
> package and the traceroute binary from the netstd package to /usr/bin
> and makes them setuid root.adm. This allows all users in the existing
> adm group to use tcpdump to get the unencrypted passwords that are
> transmitted over the network.
This is a real problem. But you probably cannot really fix it since you stil
have that possibily via another machine. My collegue tried this in recent
weeks and wondered why it didn't work until I told him about ssh. :-)
> IMHO the netdiag package shouldn't use tcpdump/traceroute
> (neither as binaries nor as links). Copying/linking binaries from
> other packages just to have them in /usr/bin is a bad idea. Maybe
> something like this should be added to the guidelines.
Totally agreed. Just for curiosity, why were they moved anyway? Most users
who know these tools will figure out how to start them from /usr/sbin
anyway.
Michael
--
Michael Meskes | _____ ________ __ ____
meskes@informatik.rwth-aachen.de | / ___// ____/ // / / __ \___ __________
meskes@sanet.de | \__ \/ /_ / // /_/ /_/ / _ \/ ___/ ___/
meskes@debian.org | ___/ / __/ /__ __/\__, / __/ / (__ )
Use Debian GNU/Linux! | /____/_/ /_/ /____/\___/_/ /____/
Reply to: