Re: DSA 557-1 and CAN-2004-0564

To: "David F. Skoll" <dfs@roaringpenguin.com>
Cc: debian-security@lists.debian.org, cve@mitre.org
Subject: Re: DSA 557-1 and CAN-2004-0564
From: Martin Schulze <joey@infodrom.org>
Date: Mon, 4 Oct 2004 16:14:04 +0200
Message-id: <[🔎] 20041004141404.GY15510@finlandia.infodrom.north.de>
In-reply-to: <[🔎] Pine.LNX.4.58.0410040952350.21496@shishi.roaringpenguin.com>
References: <[🔎] Pine.LNX.4.58.0410040952350.21496@shishi.roaringpenguin.com>

David F. Skoll wrote:
> The rp-pppoe "security advisory" is totally bogus.  rp-pppoe is
> not meant to run SUID-root, and nowhere in the documentation is this
> recommended.

There are reasons users install it setuid / setgid, and these installations
are vulnerable.

> You might as well post a security advisory about "ls" because it doesn't
> drop privileges if it's installed SUID-root.

If it would be common for ls to run setuid/setgid and it was vulnerable
to any attack, we't have to, unfortunately.

Regards,

	Joey

-- 
Everybody talks about it, but nobody does anything about it!  -- Mark Twain

Please always Cc to me when replying to me on the lists.

Reply to:

Follow-Ups:
- Re: DSA 557-1 and CAN-2004-0564
  - From: "David F. Skoll" <dfs@roaringpenguin.com>

References:
- Re: DSA 557-1 and CAN-2004-0564
  - From: "David F. Skoll" <dfs@roaringpenguin.com>

Prev by Date: Re: DSA 557-1 and CAN-2004-0564
Next by Date: Re: DSA 557-1 and CAN-2004-0564
Previous by thread: Re: DSA 557-1 and CAN-2004-0564
Next by thread: Re: DSA 557-1 and CAN-2004-0564
Index(es):
- Date
- Thread