[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#27050 (fdutils): A cause for security concern?


I received the following bug report about fdutils a while ago, but haven't
had time to deal with it yet.  Basically, the bug reporter is concerned that
the suid'ed fdmount could be insecure, because fdmount's manpage warns the
user not to rely on it being secure. 

So far, my suid'ed fdmount hasn't given me any trouble, and the upstream
defaults to suid'ing it, and I haven't heard any security warnings from
CERT (?) etc. either.  However, I have to admit that I do not know that much
about security.

As the Slink deep freeze and release are impending, I would like to ask your
advice: Should I follow the suggestion given by the bug reporter Thomas
Roessler?  If so, should I fix this bug before Slink is out?  I am kind of
busy with school now and would like to put it off till the holiday, but if
all of you experienced developers feel that it is urgent, I will try to fix
it before Slink is released.

Thanks again.  :-)  I have attached the bug report below.



Package: fdutils; Reported by: Thomas Roessler <roessler@guug.de>;  dated
Thu, 24 Sep 1998 15:33:01 GMT; Maintainer for fdutils is Anthony Fok

Package: fdutils
Version: 5.2pl4-3

[This is on a current hamm system.]

Even fdmount's own manual page says that users should not rely on
the program being secure.  I consider it a bug that the fdutils
package installs this program suid root regardless of this warning.

Either you have checked the program's security - in this case you
may install it suid root and remove the warning from the manual
page.  Or you didn't do the checks you should - in this case you
should release a new package which installs the program mode 755 by
default and tells the user that he can get full functionality only
when registering it suid root.  (gnuplot does something like this
using suidmanager.)  

Regards, tlr

-- System Information
Debian Release: 2.0
Kernel Version: Linux sobolev 2.1.122 #43 SMP Thu Sep 17 14:24:19 MEST 1998 i586 unknown

Versions of the packages fdutils depends on:
ii  libc6           2.0.7t-1       The GNU C library version 2 (run-time files)
ii  makedev         1.6-32         Creates special device files in /dev.

Anthony Fok Tung-Ling                Civil and Environmental Engineering
foka@ualberta.ca, foka@debian.org    University of Alberta, Canada
anthony_fok@catholic.org             Keep smiling!  *^_^*
Come visit Our Lady of Victory Camp -- http://www.olvc.ddns.org/
                                    or http://www.ualberta.ca/~foka/OLVC/

Reply to: