[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#27050 (fdutils): A cause for security concern?

On Tue, Jan 19, 1999 at 02:29:44PM -0700, Anthony Fok wrote:
> As the Slink deep freeze and release are impending, I would like to ask your
> advice: Should I follow the suggestion given by the bug reporter Thomas
> Roessler?  If so, should I fix this bug before Slink is out?  I am kind of
> busy with school now and would like to put it off till the holiday, but if
> all of you experienced developers feel that it is urgent, I will try to fix
> it before Slink is released.

I would suggest making it sgid to group floppy, them make it mode 2754.
There doesn't seem to be a need to have it suid root since /dev/fd? is
writable by group floppy. It gives three advantages, 1) Only people
in group floppy will be able to execute it, which gives the admin more
control, 2) The admin can setup login.defs to give console users group
floppy automatically, a bug plus since people only need to access the
floppy when they have physical access any way, and 3) it is way more
secure than suid root, at worst if the program is exploitable, you only
stand to lose floppy data as opposed to your entire machine.

--
-----    -- - -------- --------- ----  -------  -----  - - ---   --------
Ben Collins <b.m.collins@larc.nasa.gov>                  Debian GNU/Linux
UnixGroup Admin - Jordan Systems Inc.                 bcollins@debian.org
------ -- ----- - - -------   ------- -- The Choice of the GNU Generation
Reply to: