Re: Bug#4465: security hole in netdiag package

To: tobias@et-inf.fho-emden.de, 4465@bugs.debian.org
Cc: submit@bugs.debian.org, Peter Tobias <tobias@server.et-inf.fho-emden.de>, debian-devel@lists.debian.org
Subject: Re: Bug#4465: security hole in netdiag package
From: Christoph Lameter <clameter@waterf.org>
Date: Tue, 10 Sep 1996 06:10:53 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.93.960910060802.1560A-100000@waterf.org>
In-reply-to: <[🔎] 199609101213.OAA08252@server.et-inf.fho-emden.de>

Alright I tried all the ideas I had. What shall I do to get consistency
with network diagnostic tools that should be be in the hads of
troublemakers?

I know the adm group is not the right one. Shall I try to set up a new
group of users being able to use network diagnostics?

tcpdump and traceroute are essential network diagnostic tools. Somehow
they need to fit into the scheme. Before the netdiag package I manually
changed permissions on all machine I installed because our administrative
staff is doing troubleshooting on campus quite frequently.

Please respond by cc to me since I dont have access to debian-devel.

On Tue, 10 Sep 1996, Peter Tobias wrote:

tobias>Package: netdiag
tobias>Version: 0.2-3
tobias>
tobias>The postinst script copies the tcpdump binary from the tcpdump
tobias>package and the traceroute binary from the netstd package to /usr/bin
tobias>and makes them setuid root.adm. This allows all users in the existing
tobias>adm group to use tcpdump to get the unencrypted passwords that are
tobias>transmitted over the network.
tobias>
tobias>IMHO the netdiag package shouldn't use tcpdump/traceroute
tobias>(neither as binaries nor as links). Copying/linking binaries from
tobias>other packages just to have them in /usr/bin is a bad idea. Maybe
tobias>something like this should be added to the guidelines.
tobias>
tobias>
tobias>Thanks,
tobias>
tobias>Peter
tobias>
tobias>-- 
tobias> Peter Tobias                                EMail:
tobias> Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
tobias> Fachbereich Elektrotechnik und Informatik   tobias@debian.org
tobias> Constantiaplatz 4, 26723 Emden, Germany     tobias@linux.de
tobias>

{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}
{}    Snail Mail:   FTS Box 466, 135 N.Oakland Ave, Pasadena, CA 91182        {}
{}    FISH Internet System Administrator at Fuller Theological Seminary       {}
{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}
PGP Public Key  =  FB 9B 31 21 04 1E 3A 33  C7 62 2F C0 CD 81 CA B5

Reply to:

Follow-Ups:
- Bug#4465: security hole in netdiag package
  - From: Dirk.Eddelbuettel@qed.econ.queensu.ca

References:
- Bug#4465: security hole in netdiag package
  - From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>

Prev by Date: Bug#4465: security hole in netdiag package
Next by Date: Bug#4466: NE2000 clone not detected
Previous by thread: Bug#4465: security hole in netdiag package
Next by thread: Bug#4465: security hole in netdiag package
Index(es):
- Date
- Thread