[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#27050 (fdutils): A cause for security concern?

On Tue, Jan 19, 1999 at 04:43:37PM -0500, Ben Collins wrote:

> On Tue, Jan 19, 1999 at 02:29:44PM -0700, Anthony Fok wrote:
> > As the Slink deep freeze and release are impending, I would like to ask
> > your advice: Should I follow the suggestion given by the bug reporter
> > Thomas Roessler?  If so, should I fix this bug before Slink is out?  I
> > am kind of busy with school now and would like to put it off till the
> > holiday, but if all of you experienced developers feel that it is
> > urgent, I will try to fix it before Slink is released.
> I would suggest making it sgid to group floppy, them make it mode 2754.
> There doesn't seem to be a need to have it suid root since /dev/fd? is
> writable by group floppy.

I don't think you can mount filesystems unless you're root.

> 1) Only people in group floppy will be able to execute it,

That's a useful feature, though.  You could make it owned by root.floppy,
mode 1754.  (There is no real need to make it setgid floppy in any case.)

When the docs for a setuid program warn you "not to trust its security"
then be afraid, be very afraid.  It shouldn't be automatically setuid in
Debian until _some_ security-conscious person has audited it carefully.

Have fun,


Reply to: