Re: DSA 557-1 and CAN-2004-0564
David F. Skoll wrote:
> The rp-pppoe "security advisory" is totally bogus. rp-pppoe is
> not meant to run SUID-root, and nowhere in the documentation is this
> recommended.
There are reasons users install it setuid / setgid, and these installations
are vulnerable.
> You might as well post a security advisory about "ls" because it doesn't
> drop privileges if it's installed SUID-root.
If it would be common for ls to run setuid/setgid and it was vulnerable
to any attack, we't have to, unfortunately.
Regards,
Joey
--
Everybody talks about it, but nobody does anything about it! -- Mark Twain
Please always Cc to me when replying to me on the lists.
Reply to: