[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DSA 557-1 and CAN-2004-0564

David F. Skoll wrote:
> The rp-pppoe "security advisory" is totally bogus.  rp-pppoe is
> not meant to run SUID-root, and nowhere in the documentation is this
> recommended.

There are reasons users install it setuid / setgid, and these installations
are vulnerable.

> You might as well post a security advisory about "ls" because it doesn't
> drop privileges if it's installed SUID-root.

If it would be common for ls to run setuid/setgid and it was vulnerable
to any attack, we't have to, unfortunately.



Everybody talks about it, but nobody does anything about it!  -- Mark Twain

Please always Cc to me when replying to me on the lists.

Reply to: