[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Nomination question: Redhat

Joseph Carter <knghtbrd@debian.org> writes:

> On Sun, Dec 13, 1998 at 03:03:39PM -0500, Michael Stone wrote:
> > > This is the worst possible kind of FUD.  Yes, Redhat did have some
> > > programs inadvertently SUID, but then have you even bothered to check
> > > how many SUID binaries we have and how valid their SUIDness is?  It's
> > > not a pretty sight.  You also failed magnificently to remember the
> > > recent fte fiasco, which was far worse than anything Redhat have
> > > done[1].
> > 
> > But IIRC, the fte thing wasn't in a release version, was it? If you're
> > running a pre-release, you take what you get. OTOH, it's a good example
> > of why an open development model is a Good Thing: it got caught _before_
> > we sent it out on thousands of cd's.
> 
> Something that didn't happen with Redhat (which was my whole point in the
> first place)

No it didn't happen with Redhat because Redhat weren't lame enough to
make an editor SUID; their SUID programs were only _potentially_
exploitable through buffer overruns and the like.

And as Ben pointed out, fte was only caught by complete happenstance,
it _very_ easily could have gone into slink.

-- 
James
Reply to: