[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: a question about BTS severities

On Tue, Sep 28, 1999 at 12:01:16PM +1000, Herbert Xu wrote:
> On Mon, Sep 27, 1999 at 05:30:51PM -0700, Joey Hess wrote:
> > > 
> > > Actually, it should be critical if it's a root exploit.  Grave only includes
> > > those that only comprise the user's account.
> > 
> > Last I checked, root is a user. This is not a formal definition we're
> > working from, please use common sense. (Note: grave is a _higher_ priotity
> > than critical. Note also: root exploits tend to turn into user account
> > exploits as soon as the attacker wants them to.)
> Root may be a user, but he is a special one at that :) root has privileges
> that no other users have.  If a user account was compromised, the attacker
> is only able to perform tasks that user was allowed to, however, if the
> root account is compromised, then that implies the compromise of all user
> accounts on that machine, and things like using privileged ports, or
> doing port IO, etc.

I think that any user account exploit is critical -> maybe it's a sudoers,
not. However, grave is for exploit such as external access to private file
without however giving login access to the machine. 

> Also, AFAIK, critical is listed above grave (and important and others) in
> all the relevant docos that I've seen.

That's what I read also.

> -- 
> Debian GNU/Linux 2.1 is out! ( http://www.debian.org/ )
> Email:  Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Fabien Ninoles        Chevalier servant de la Dame Catherine des Rosiers
aka Corbeau aka le Veneur Gris               Debian GNU/Linux maintainer
E-mail:                                                    fab@tzone.org
WebPage:                                    http://www.tzone.org/~fabien
RSA PGP KEY [E3723845]: 1C C1 4F A6 EE E5 4D 99  4F 80 2D 2D 1F 85 C1 70

Reply to: