Re: SECURITY PROBLEM: autofs [all versions]
Robert Bihlmeyer wrote:
>
> "Christopher W. Curtis" <ccurtis@aet-usa.com> writes:
>
> [chmod -x /sbin/portmap]
>
> > It's not wrong, it simply won't persist between package upgrades. If
> > you hack the init script, the package won't upgrade smoothly.
>
> Please prove your claim that removing the x bit is more correct than
> putting "exit 0" in front of the init script. The former needs a
> manual intervention at every upgrade, while the latter needs manual
> intervention only when the init script changed.
This cannot be proven - I didn't want it to run, so I chmod -x it. It
seemed like a logical thing to do. I didn't want to delete it because I
may have wanted it again later, and I didn't want to rename it because
it would leave cruft in /sbin.
> > The need for doing this is a deficiency in the debain system
> > configuration process. update-rc.d doesn't persist either, and this
> > is the "correct" way.
>
> If the following piece from update-rc.d(8) is not correct, please file
> a bug:
You see, the problem here was that I did not know about update-rc.d at
the time, and the person who was kind enough to point this out to me,
told me only how to remove the link, not rename them, as Ingo Saitz
(Ingo.Saitz@stud.uni-hannover.de) pointed out a couple mnessages ago (a
message, btw, which I have saved). I assumed that the person who told
me about update-rc.d knew that this was the extent to which it would be
helpful. I did not persue it further, nor does this seem to be common
knowledge among the Debian users.
> > The issue itself is trivial - my 'beef' is with the people
> > (and attitudes) who tried to tell me that crashing is the right thing to
> > do.
>
> What did crash? The shell? A script being aborted with "/sbin/portmap:
> Permission denied" is a crash in your eyes.
It is essentially a "crash" - a term I initially used quoted, and
dropped the quotes later. The program made an insufficient check and
tried to run an illegal set of instructions. Under unix, this often
results in a core dump. Under Windows, a UAE. The shell happens to
ignore it and continue processing. But the lack of a core dump does not
mean it's correct.
> > Besides, to me, printing a warning (being notified) is more informative
> > than seeing an error dump and knowing what it is supposed to mean,
> > [...]
>
> I don't see how you can get much more descriptive than the Permission
> denied message.
"Permission denied" is almost useless when you're watching three
screenfuls of information scroll past in about 12 seconds, as tens if
not over a hundred different scripts are being run. However, a message
that says, "The portmapper is present, but not executable. This will
work for now, but it'll start running again if netbase is upgraded." is
a *lot* more informative.
But I did not ask for that. I asked only that it check -x, and not -f,
thereby printing no error whatsoever. The error printed is not the
script saying something is wrong - it is bash saying the script is
trying to do something wrong.
Christopher
Reply to: