Re: Removing system users on purge [Re: Bits from the release team: the plans for etch]

To: debian-devel@lists.debian.org
Subject: Re: Removing system users on purge [Re: Bits from the release team: the plans for etch]
From: Frank Küster <frank@debian.org>
Date: Thu, 27 Oct 2005 16:11:53 +0200
Message-id: <[🔎] 87hdb32gnq.fsf@alhambra.kuesterei.ch>
In-reply-to: <[🔎] 20051027133604.GG6026@ns.snowman.net> (Stephen Frost's message of "Thu, 27 Oct 2005 09:36:04 -0400")
References: <[🔎] 20051025202118.GA10290@javifsp.no-ip.org> <[🔎] E1EUecU-0004QS-NV@scyw00225.scy001.de> <[🔎] 20051026091100.GA3940@javifsp.no-ip.org> <[🔎] 20051026115319.GE15626@boogie.lpds.sztaki.hu> <[🔎] 20051026135036.GB26323@javifsp.no-ip.org> <[🔎] 87irvkti6r.fsf@alhambra.kuesterei.ch> <[🔎] 20051026154548.GA30978@javifsp.no-ip.org> <[🔎] 20051026184857.GC3379@rzlab.ucr.edu> <[🔎] 20051026191236.GC6026@ns.snowman.net> <[🔎] 87acgv8isr.fsf@alhambra.kuesterei.ch> <[🔎] 20051027133604.GG6026@ns.snowman.net>

Stephen Frost <sfrost@snowman.net> wrote:

> * Frank K?ster (frank@debian.org) wrote:
>> Stephen Frost <sfrost@snowman.net> wrote:
>> > Have we actually got a specific case of this happening and there being a
>> > real security threat from it?
>> 
>> When I ran a samba server years ago, I changed the default log file names
>> and, IIRC, location.
>
> Were they owned by the samba uid?

I don't know for sure, but I think yes.

> Were they terribly sensitive?

In some cases knowledge of filenames that one user uses would have been
very interesting for some other users.

> Did
> you ever actually uninstall samba?  Was the samba uid reused?

Since I left that server to somebody else, I can only speculate:
Probably no, but I cannot exclude it (e.g. if there ever was a samba-ng
package or something like that, they might have tried it instead).

>  Was there 
> an actual compramise of the files by another daemon?

I assume that in this case I'd know.  

> I'm looking for actual cases of this 'security hole' being exploited, 

Sorry, I can't help you.

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer

Reply to:

References:
- Re: Bits from the release team: the plans for etch
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: Bits from the release team: the plans for etch
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: Bits from the release team: the plans for etch
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: Bits from the release team: the plans for etch
  - From: Gabor Gombas <gombasg@sztaki.hu>
- Re: Bits from the release team: the plans for etch
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: Bits from the release team: the plans for etch
  - From: Frank Küster <frank@debian.org>
- Re: Bits from the release team: the plans for etch
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Removing system users on purge [Re: Bits from the release team: the plans for etch]
  - From: Don Armstrong <don@debian.org>
- Re: Removing system users on purge [Re: Bits from the release team: the plans for etch]
  - From: Stephen Frost <sfrost@snowman.net>
- Re: Removing system users on purge [Re: Bits from the release team: the plans for etch]
  - From: Frank Küster <frank@debian.org>
- Re: Removing system users on purge [Re: Bits from the release team: the plans for etch]
  - From: Stephen Frost <sfrost@snowman.net>

Prev by Date: Re: A thought about killing two bird with one stone
Next by Date: old question with new status? Sun-Java in Debian non-free?
Previous by thread: Re: Removing system users on purge [Re: Bits from the release team: the plans for etch]
Next by thread: Re: Bits from the release team: the plans for etch
Index(es):
- Date
- Thread