[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: a question about BTS severities

On Mon, Sep 27, 1999 at 05:30:51PM -0700, Joey Hess wrote:
> > 
> > Actually, it should be critical if it's a root exploit.  Grave only includes
> > those that only comprise the user's account.
> Last I checked, root is a user. This is not a formal definition we're
> working from, please use common sense. (Note: grave is a _higher_ priotity
> than critical. Note also: root exploits tend to turn into user account
> exploits as soon as the attacker wants them to.)

Root may be a user, but he is a special one at that :) root has privileges
that no other users have.  If a user account was compromised, the attacker
is only able to perform tasks that user was allowed to, however, if the
root account is compromised, then that implies the compromise of all user
accounts on that machine, and things like using privileged ports, or
doing port IO, etc.

Also, AFAIK, critical is listed above grave (and important and others) in
all the relevant docos that I've seen.
Debian GNU/Linux 2.1 is out! ( http://www.debian.org/ )
Email:  Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Reply to: