[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Intent to package: ruplist



On Thu, Sep 17, 1998 at 08:29:00PM +0200, Richard Braakman wrote:
> > Any opinions? One more
> > thing - it makes use of a mode 777 directory /var/spool/ruplist; this is to
> > allow any user to 'update' the all-time-high statistics. I don't see any
> > clear exploits - symlinking files to /etc/passwd and stuff is detected
> > (symlinks get unlink()'ed before used). If someone likes to audit it before
> > I upload it (if noone objects), I'd like to hear the results of course.
> 
> Yes, it should be audited, because from the description you give it's not
> safe.  A symlink could be created between the detection and the use.

Yes, running it sgid daemon or games (kidding to show the solution to the
problem which is called high-score files) should solve that. Of course it
nees to be checked if that binary is sgid safe.

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes@irc  +497257930613  BE5-RIPE
(O____O)       If privacy is outlawed only Outlaws have privacy


Reply to: