[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Nomination question: Redhat

[ Don't Cc me on public replies ]

Joseph Carter <knghtbrd@debian.org> writes:

> On Sun, Dec 13, 1998 at 03:18:05AM +0000, James Troup wrote:
> > > I don't use it however.  Two releases in a row they have released
> > > programs suid root which should NOT be suid root.  This shows their
> > > development strategy is build it first and fast, then secure it.
> > > This is bad and I can't safely rely on that sort of development to
> > > be secure.
> > 
> > This is the worst possible kind of FUD.  Yes, Redhat did have some
> > programs inadvertently SUID, but then have you even bothered to check
> > how many SUID binaries we have and how valid their SUIDness is?  It's
> > not a pretty sight.  You also failed magnificently to remember the
> > recent fte fiasco, which was far worse than anything Redhat have
> > done[1].
> I am not aware of the problem with fte other than that I recall seeing
> one and seeing a fix happen.  The programs which were and should not have
> been suid included system config utilities on at least two occasions
> which is half of them that I know of (I know of 4 individual instances)

You're still missing the point.  The stuff on Redhat was not
immediately exploitable, it just could have been; fte being suid meant
any user could alter any file (e.g. /etc/passwd) just by running the
editor.  You're also continuing to ignore how many SUID binaries we
have, and how few of them have been glanced at, never mind audited.

> > In general Redhat respond faster than us to most security incidents
> > and Redhat have Alan Cox auditing code.  We don't.
> Dear me!  What ever are we going to do without a kernel hacker?

You fail, once again, to even vaguely grasp the point.  Auditing is a
_good_ thing, whether it's done by one ``kernel hacker'' or a team of
people (OpenBSD).  We don't do it; Redhat does.  And, BTW,m dismissing
Alan Cox as nothing more than ``a kernel hacker'' is the most crass
thing I've ever seen you do.

Show me *your* code, or get out of my way.

Reply to: