Re: Whom the BIND newest vulnerability concerns?
On Tue, Nov 16, 1999 at 11:55:47AM +0100, Russell Coker wrote:
>
> To do this properly you should kill the daemon as the user it runs under. So
> to stop the LDAP server you would do:
> sudo -u ldap kill `cat /var/run/slapd.pid`
Not if there daemons that are running as root and writing pid files to
/var/run.
> Also keep in mind that only group daemon can create a PID file. So an
> average user won't be able to create one unless they subvert a daemon.
Yes, but the whole point of the group daemon is to limit the damage if one of
them is compromised. Now if that was the goal, I don't why won't you just go
that one step further and use subdirectories so that when of them is cracked,
the cracker doesn't get to write pid files.
> We can't make it absolutely impossible for a misconfigured system to be
> broken. We can't make it impossible for a buggy program to be exploited to
> the disadvantage of the administrator. But we can make it a lot harder for
> bad users without expending too much effort. I believe that my proposal
> achieves those aims.
Of course not, but when there's something as simple as creating subdirectories
which will buy you a little extra safety, why not use it.
--
Debian GNU/Linux 2.1 is out! ( http://www.debian.org/ )
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Reply to: