Re: setuid/setgid binaries contained in the Debian repository.

To: debian-devel@lists.debian.org
Subject: Re: setuid/setgid binaries contained in the Debian repository.
From: Matt Zimmerman <mdz@debian.org>
Date: Mon, 11 Aug 2003 12:25:37 -0400
Message-id: <[🔎] 20030811162537.GH15143@alcor.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 87ptjcz17d.fsf@mrvn.homelinux.org>
References: <fkJl.2C7.7@gated-at.bofh.it> <[🔎] 2003-08-10_22.25.59@alfie.ist.org> <[🔎] 20030810232349.GH23819@alcor.net> <[🔎] 200308110945.50230.josef@ggzgamingzone.org> <[🔎] 20030811085650.GA17898@evbergen.xs4all.nl> <[🔎] 20030811132842.GQ23819@alcor.net> <[🔎] 20030811140040.GA7413@evbergen.xs4all.nl> <[🔎] 20030811143347.GA15143@alcor.net> <[🔎] 87ptjcz17d.fsf@mrvn.homelinux.org>

On Mon, Aug 11, 2003 at 05:03:02PM +0200, Goswin von Brederlow wrote:

> Matt Zimmerman <mdz@debian.org> writes:
> > The only barrier I see is that it would clean the environment variables.
> > Yes, this is a popular attack vector, but it is by no means the only one.
> 
> The wrapper couldbe setuid root and drop to game.
> 
> But I rather have some game exploits than a root exploit due to a
> buggy wrapper.

This doesn't sound _entirely_ unreasonable.  The wrapper would be simple
enough that one could have a high degree of confidence in its security.
However, it does obfuscate the process, making it difficult to see how it
works from looking at the filesystem.

-- 
 - mdz

Reply to:

References:
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Gerfried Fuchs <nutznetz@alfie.ist.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Matt Zimmerman <mdz@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Josef Spillner <josef@ggzgamingzone.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Emile van Bergen <emile-deb@evbergen.xs4all.nl>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Matt Zimmerman <mdz@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Emile van Bergen <emile-deb@evbergen.xs4all.nl>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Matt Zimmerman <mdz@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>

Prev by Date: Re: better make a standard for /etc/*/*_not_to_be_run
Next by Date: Re: better make a standard for /etc/*/*_not_to_be_run
Previous by thread: Re: setuid/setgid binaries contained in the Debian repository.
Next by thread: Re: setuid/setgid binaries contained in the Debian repository.
Index(es):
- Date
- Thread