Re: Intent to package: ruplist

To: remco@debian.org (Remco van de Meent)
Cc: debian-devel@lists.debian.org
Subject: Re: Intent to package: ruplist
From: Richard Braakman <dark@xs4all.nl>
Date: Thu, 17 Sep 1998 20:29:00 +0200 (CEST)
Message-id: <[🔎] E0zJinc-00084D-00@night>
In-reply-to: <[🔎] Pine.LNX.4.03.9809171924510.27154-100000@cal052204.student.utwente.nl> from Remco van de Meent at "Sep 17, 1998 7:46:56 pm"

Remco van de Meent wrote:
> It is not released under GPL - these few lines cover the copyright issues:
> 
> 
>    RUPLIST - written by Roalt Zijlstra - Copyright 1996
> 
>    See for version number the Makefile.
> 
>    THIS SOFTWARE IS -AS IS-. USE OF THIS SOFTWARE IS AT YOUR OWN RISK THE
>    AUTHOR IS NOT RESPONSIBLE FOR ANY HARM DONE TO YOUR COMPUTER BY USING
>    THIS SOFTWARE.
> 
>    Ruplist may be distributed freely. Send any improvements or bug fixes to
>    Roalt Zijlstra <roalt@cal006033.student.utwente.nl>

This says nothing about distribution of derived works (such as Debian
packages).

> Any opinions? One more
> thing - it makes use of a mode 777 directory /var/spool/ruplist; this is to
> allow any user to 'update' the all-time-high statistics. I don't see any
> clear exploits - symlinking files to /etc/passwd and stuff is detected
> (symlinks get unlink()'ed before used). If someone likes to audit it before
> I upload it (if noone objects), I'd like to hear the results of course.

Yes, it should be audited, because from the description you give it's not
safe.  A symlink could be created between the detection and the use.

Richard Braakman

Reply to:

Follow-Ups:
- Re: Intent to package: ruplist
  - From: Bernd Eckenfels <lists@lina.inka.de>

References:
- Intent to package: ruplist
  - From: Remco van de Meent <remco@debian.org>

Prev by Date: Re: On PAM and authentication
Next by Date: Re: Intent to package: ruplist
Previous by thread: Intent to package: ruplist
Next by thread: Re: Intent to package: ruplist
Index(es):
- Date
- Thread