Re: Security hole in dosemu package
Christoph Lameter <clameter@waterf.org> writes:
> I think you misstated the issue. You are trying to parse a
> configuration file and you see the error messages of dosemu when
> parsing it.
That's the problem, not the issue. The issue is that anyone on my
system can read files owned by anyone else. Passwords, private email,
diaries, PGP private keys, anything. Debian is installed on thousands
of systems and all of them are about as secure as MS-DOS if dosemu is
installed.
Anyway, here is my procedure for looking for likely vulnerable
programs. I'll try to find another one this weekend for fun.
$ ls -alS /usr/bin | grep rws
-rwsr-xr-x 1 root root 569576 Oct 24 00:05 dos
-rwsr-xr-x 1 man root 66701 Jul 7 13:56 man
-rwsr-sr-x 1 root mail 59385 Jan 18 1996 procmail
-rwsr-xr-x 1 man root 52521 Jul 7 13:56 mandb
-rwsr-xr-x 1 root root 46088 Oct 30 09:25 sudo
[...]
The `-F' option was merely the first bug I found. Crackers often
break into systems by exploiting bugs, especially in large setuid root
programs such as sendmail, which has lots of people that continually
search for exploitable holes (they occasionally find one), and dos,
which is twice as large as sendmail and about 5% as debugged.
> Naturally that configuration file is read while dosemu still has not
> dropped its superuser priviledges. Get on the mailing list for
> dosemu and talk to the guys. This is really a non debian specific
> security hole in dosemu.
You could make the dosemu package more secure by removing
/etc/dosemu/users and repackaging dosemu. It's Debian-specific enough
if it's a Debian package, especially one that is not in contrib.
> Is it compiled to use the "users" file at all? Last that I know was
> that RedHat had an older version of dosemu which might not support
> the /etc/dosemu.users file. But that was awhile ago.
Yes, it is.
--
Daniel Quinlan http://www.pathname.com/~quinlan
quinlan@pathname.com quinlan@transmeta.com (at work)
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com
Reply to: