Re: Intent to package: ruplist

To: debian-devel@lists.debian.org
Subject: Re: Intent to package: ruplist
From: "Stephen J. Carpenter" <sjc@delphi.com>
Date: Thu, 17 Sep 1998 16:39:30 -0400
Message-id: <[🔎] 19980917163930.A4501@lenny.mgh.harvard.edu>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] Pine.LNX.4.03.9809171924510.27154-100000@cal052204.student.utwente.nl>; from Remco van de Meent on Thu, Sep 17, 1998 at 07:46:56PM +0200
References: <[🔎] Pine.LNX.4.03.9809171924510.27154-100000@cal052204.student.utwente.nl>

On Thu, Sep 17, 1998 at 07:46:56PM +0200, Remco van de Meent wrote:
> Hi,
> 
> A friend of mine once wrote a program called `ruplist', which keeps track of
> the uptimes of computers on a LAN (running rwhod). It shows you the
> all-time-high record a things like that.

oooh cool :)
so I wont need to make a CGI pair which allows my public webserver to
run ud (updime deamon) on internal machines :)

> It is not released under GPL - these few lines cover the copyright issues:
> 
> 
>    RUPLIST - written by Roalt Zijlstra - Copyright 1996
> 
>    See for version number the Makefile.
> 
>    THIS SOFTWARE IS -AS IS-. USE OF THIS SOFTWARE IS AT YOUR OWN RISK THE
>    AUTHOR IS NOT RESPONSIBLE FOR ANY HARM DONE TO YOUR COMPUTER BY USING
>    THIS SOFTWARE.
> 
>    Ruplist may be distributed freely. Send any improvements or bug fixes to
>    Roalt Zijlstra <roalt@cal006033.student.utwente.nl>
> 

Since the author is a friend...the licence could use some modifications....

Would "This software may be used, modifed and/or distributed freely."
(need to cover modified ;)) And maybe a "Please send..." that way 
sending in bug fixes doesn't apear to be a requirement of the licence
(maybe not importnat but...best to head off issues in the present)

 
> So I think it could go in main. I'm not sure however. Any opinions?

no not unless it specifically allows modifications to source and distributing
modified binaries.

> One more
> thing - it makes use of a mode 777 directory /var/spool/ruplist; this is to
> allow any user to 'update' the all-time-high statistics. I don't see any
> clear exploits - symlinking files to /etc/passwd and stuff is detected
> (symlinks get unlink()'ed before used). If someone likes to audit it before
> I upload it (if noone objects), I'd like to hear the results of course.

hmmm.... 
thats not good. WHY does ANY user need to be able to update the database?

The updates should be made via cron job (to ensure regularity). Also
whena normal user runs it it should probably do a current query of its
own and then compare that aginst the corn-updated database.

Alternatly...maybe an suid wrapper?

having /tmp is bad enough (read an interesting article on using it to
completely subvert disk quota...by storing data in filenames which are hard
links in /tmp to files owned by others...not to mention scores of other
exploits/races/etc)

-Steve

-- 
/* -- Stephen Carpenter <sjc@delphi.com> --- <sjc@debian.org>------------ */
E-mail "Bumper Stickers":
"A FREE America or a Drug-Free America: You can't have both!"
"honk if you Love Linux"

Reply to:

References:
- Intent to package: ruplist
  - From: Remco van de Meent <remco@debian.org>

Prev by Date: Re: Intent-to-package: berlin DR1
Next by Date: Response time of BTS
Previous by thread: Re: Intent to package: ruplist
Next by thread: Re: Intent to package: ruplist
Index(es):
- Date
- Thread