Re: Intent to package: ruplist
On Thu, Sep 17, 1998 at 07:46:56PM +0200, Remco van de Meent wrote:
> A friend of mine once wrote a program called `ruplist', which keeps track of
> the uptimes of computers on a LAN (running rwhod). It shows you the
> all-time-high record a things like that.
oooh cool :)
so I wont need to make a CGI pair which allows my public webserver to
run ud (updime deamon) on internal machines :)
> It is not released under GPL - these few lines cover the copyright issues:
> RUPLIST - written by Roalt Zijlstra - Copyright 1996
> See for version number the Makefile.
> THIS SOFTWARE IS -AS IS-. USE OF THIS SOFTWARE IS AT YOUR OWN RISK THE
> AUTHOR IS NOT RESPONSIBLE FOR ANY HARM DONE TO YOUR COMPUTER BY USING
> THIS SOFTWARE.
> Ruplist may be distributed freely. Send any improvements or bug fixes to
> Roalt Zijlstra <firstname.lastname@example.org>
Since the author is a friend...the licence could use some modifications....
Would "This software may be used, modifed and/or distributed freely."
(need to cover modified ;)) And maybe a "Please send..." that way
sending in bug fixes doesn't apear to be a requirement of the licence
(maybe not importnat but...best to head off issues in the present)
> So I think it could go in main. I'm not sure however. Any opinions?
no not unless it specifically allows modifications to source and distributing
> One more
> thing - it makes use of a mode 777 directory /var/spool/ruplist; this is to
> allow any user to 'update' the all-time-high statistics. I don't see any
> clear exploits - symlinking files to /etc/passwd and stuff is detected
> (symlinks get unlink()'ed before used). If someone likes to audit it before
> I upload it (if noone objects), I'd like to hear the results of course.
thats not good. WHY does ANY user need to be able to update the database?
The updates should be made via cron job (to ensure regularity). Also
whena normal user runs it it should probably do a current query of its
own and then compare that aginst the corn-updated database.
Alternatly...maybe an suid wrapper?
having /tmp is bad enough (read an interesting article on using it to
completely subvert disk quota...by storing data in filenames which are hard
links in /tmp to files owned by others...not to mention scores of other
/* -- Stephen Carpenter <email@example.com> --- <firstname.lastname@example.org>------------ */
E-mail "Bumper Stickers":
"A FREE America or a Drug-Free America: You can't have both!"
"honk if you Love Linux"