Re: Nomination question: Redhat
[ Don't Cc me on public replies ]
Joseph Carter <knghtbrd@debian.org> writes:
> On Sun, Dec 13, 1998 at 03:18:05AM +0000, James Troup wrote:
> > > I don't use it however. Two releases in a row they have released
> > > programs suid root which should NOT be suid root. This shows their
> > > development strategy is build it first and fast, then secure it.
> > > This is bad and I can't safely rely on that sort of development to
> > > be secure.
> >
> > This is the worst possible kind of FUD. Yes, Redhat did have some
> > programs inadvertently SUID, but then have you even bothered to check
> > how many SUID binaries we have and how valid their SUIDness is? It's
> > not a pretty sight. You also failed magnificently to remember the
> > recent fte fiasco, which was far worse than anything Redhat have
> > done[1].
>
> I am not aware of the problem with fte other than that I recall seeing
> one and seeing a fix happen. The programs which were and should not have
> been suid included system config utilities on at least two occasions
> which is half of them that I know of (I know of 4 individual instances)
You're still missing the point. The stuff on Redhat was not
immediately exploitable, it just could have been; fte being suid meant
any user could alter any file (e.g. /etc/passwd) just by running the
editor. You're also continuing to ignore how many SUID binaries we
have, and how few of them have been glanced at, never mind audited.
> > In general Redhat respond faster than us to most security incidents
> > and Redhat have Alan Cox auditing code. We don't.
>
> Dear me! What ever are we going to do without a kernel hacker?
You fail, once again, to even vaguely grasp the point. Auditing is a
_good_ thing, whether it's done by one ``kernel hacker'' or a team of
people (OpenBSD). We don't do it; Redhat does. And, BTW,m dismissing
Alan Cox as nothing more than ``a kernel hacker'' is the most crass
thing I've ever seen you do.
--
James
Show me *your* code, or get out of my way.
Reply to: