Quoting Wichert Akkerman (wakkerma@cs.leidenuniv.nl): > Previously Michael Stone wrote: > > > perl-suid 31904 [B.A.McCauley@BHAM.AC.UK: Secuity hole with perl (suidperl) and nosuid mounts on Linux] [13] (Darren Stalder <torin@daft.com>) > > > > I'm not sure there's much we can do about this one--it's a library (kernel?) > > problem. Perhaps a note in the postinst that the 'nosuid' mount option won't > > work, and a suggestion that care be taken with user-mountable media? > > What perl-suid should do is check the mountoptions for the filesystem on > which the script resides and abort if that was mounted with nosuid. > Should be quite simple actually.. But that's still not general enough. For example, you just missed the case of noexec... The solution should be done at a higher level, IMHO, so we don't have to hack up every program that might try something like this (suid-python or suid-tcl or somesuch) and then rehack it when we come up with another failure case. But if we decide a quick hack is necessary, it needs to be thought out. [Snip updates on things that are fixed--great!] > > I'll look at 32485 unless someone has a patch ready. > > I fail to see why 32485 is release-critical.. there are probably lots of > other programs that also don't work with MD5 passwords. Do I hear > somebody saying PAM? Well, I think that this program is odd enough to be worth fixing (specifically, where did it come up with 20-something as the max password length?) And I haven't found much else that breaks with long passwords. (E.g., login's fine, xdm's fine, ssh works, ftp's ok.) Besides, this is something that will have to be fixed eventually for pam, but it's seperate from the pam-specific mods that need to be done. Mike Stone
Attachment:
pgpxiYurKDUMo.pgp
Description: PGP signature