Re: Updating fis-gtm package to 6.1

To: debian-med@lists.debian.org
Subject: Re: Updating fis-gtm package to 6.1
From: Andreas Tille <andreas@an3as.eu>
Date: Sun, 9 Feb 2014 09:08:05 +0100
Message-id: <[🔎] 20140209080805.GK10782@an3as.eu>
In-reply-to: <[🔎] 52F6E72F.4080405@fisglobal.com>
References: <[🔎] 52F51477.1090201@fisglobal.com> <[🔎] 20140207191047.GC15062@an3as.eu> <[🔎] 52F59008.3000105@fisglobal.com> <[🔎] 20140208072711.GB22305@an3as.eu> <[🔎] 52F62C27.4010008@fisglobal.com> <[🔎] 20140208154852.GA10782@an3as.eu> <[🔎] 52F66E0E.8030003@fisglobal.com> <[🔎] CABAUzPrY5SmkLXn-T-GznLJQ6KZO+v0H=GtA06Co8n9bx9PSTg@mail.gmail.com> <[🔎] 20140209001259.GJ10782@an3as.eu> <[🔎] 52F6E72F.4080405@fisglobal.com>

Hi Bhaskar,

On Sat, Feb 08, 2014 at 09:25:51PM -0500, Bhaskar, K.S wrote:
> 
> [KSB] gtmsecshr is a program that is installed setuid root because
> there are functions it performs on behalf of normal processes
> (unlike many database engines, GT.M does not use a database daemon).
> Details of these functions are in Appendix E (Security Philosophy)
> of the GT.M Administration and Operations Guide UNIX Edition (for
> all current GT.M documentation, go to http://fis-gtm.com and click
> on the User Documentation tab).
> 
> Since gtmsecshr is installed as setuid root, it has a number of
> checks to validate its invocation, including that it is being
> invoked from the GT.M distribution to which it belongs.  As there
> would be a vulnerability in the validation if the link were a
> symbolic link, it _must_ be a hard link.  As the hard link is
> between the directories pointed to by $gtm_dist and $gtm_dist/utf8,
> and as the utf8 subdirectory is created as part of the GT.M
> installation, there is never a case where the utf8 subdirectory is
> on a different file system, and never a case where the symbolic link
> is appropriate.

Thanks for the verbose explanation.  @Luis:  Could you please add a link
to the mailing list archive to this explanation as comment into the
lintian override file.

Kind regards

       Andreas.

-- 
http://fam-tille.de

Reply to:

References:
- Re: Updating fis-gtm package to 6.1
  - From: "Bhaskar, K.S" <ks.bhaskar@fisglobal.com>
- Re: Updating fis-gtm package to 6.1
  - From: Andreas Tille <andreas@an3as.eu>
- Re: Updating fis-gtm package to 6.1
  - From: "Bhaskar, K.S" <ks.bhaskar@fisglobal.com>
- Re: Updating fis-gtm package to 6.1
  - From: Andreas Tille <andreas@an3as.eu>
- Re: Updating fis-gtm package to 6.1
  - From: "Bhaskar, K.S" <ks.bhaskar@fisglobal.com>
- Re: Updating fis-gtm package to 6.1
  - From: Andreas Tille <andreas@an3as.eu>
- Re: Updating fis-gtm package to 6.1
  - From: "Bhaskar, K.S" <ks.bhaskar@fisglobal.com>
- Re: Updating fis-gtm package to 6.1
  - From: Luis Ibanez <luis.ibanez@kitware.com>
- Re: Updating fis-gtm package to 6.1
  - From: Andreas Tille <andreas@an3as.eu>
- Re: Updating fis-gtm package to 6.1
  - From: "Bhaskar, K.S" <ks.bhaskar@fisglobal.com>

Prev by Date: Re: Updating fis-gtm package to 6.1
Next by Date: Re: Updating fis-gtm package to 6.1
Previous by thread: Re: Updating fis-gtm package to 6.1
Next by thread: Re: Updating fis-gtm package to 6.1
Index(es):
- Date
- Thread