[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug 26827 again (about secure-su)



On Wed, Oct 21, 1998 at 10:30:33AM +0200, Michael Meskes wrote:
> On Wed, Oct 21, 1998 at 02:42:28AM -0000, rcw@rcw.oz.net wrote:
> > Kevin Dalley fixed findutils 4.1-30 *more than a month ago*
> > to not use '-s /bin/sh'. Not that he updated bug #26827, but we'll overlook
> > that :)
> 
> Thanks for pointing that out. It is really important IMO to see that
> secure-su does not break any essantial package.

Hrrrrm, a issue for -policy, should it be required for one to make a
note to a bug report when you drowngrade it stating WHY it was
downgraded? Looking at the log it seems that it WAS downgraded from
critical to grave but without any note as to why, thus the fact that
findutils was fixed went unnoticed..

However, I WOULD like to see some way to do a quick audit of packages
which use su, any takers?
> 
> > All that has to be done is have secure-su fixed to Conflict: with findutils
> > 4.1-29, the only version released with '-s /bin/sh'.
> 
> Agreed.

I'd say keep it important for now, as its handling of the -s flag is
quite horrid.. :/

Zephaniah E, Hull..
> 
> Michael
> -- 
> Dr. Michael Meskes      | Th.-Heuss-Str. 61, D-41812 Erkelenz | Go SF49ers!
> Senior-Consultant       | business: Michael.Meskes@mummert.de | Go Rhein Fire!
> Mummert+Partner         |  private: Michael.Meskes@usa.net    | Use Debian
> Unternehmensberatung AG |           Michael.Meskes@gmx.net    | GNU/Linux!
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

Attachment: pgpVLSRBg4PZO.pgp
Description: PGP signature


Reply to: