Re: DSA 557-1 and CAN-2004-0564

To: Martin Schulze <joey@infodrom.org>
Cc: debian-security@lists.debian.org, cve@mitre.org
Subject: Re: DSA 557-1 and CAN-2004-0564
From: "David F. Skoll" <dfs@roaringpenguin.com>
Date: Mon, 4 Oct 2004 10:27:28 -0400 (EDT)
Message-id: <[🔎] Pine.LNX.4.58.0410041025410.21496@shishi.roaringpenguin.com>
In-reply-to: <[🔎] 20041004141404.GY15510@finlandia.infodrom.north.de>
References: <[🔎] Pine.LNX.4.58.0410040952350.21496@shishi.roaringpenguin.com> <[🔎] 20041004141404.GY15510@finlandia.infodrom.north.de>

On Mon, 4 Oct 2004, Martin Schulze wrote:

> There are reasons users install it setuid / setgid, and these installations
> are vulnerable.

I disagree.  There is absolutely *no* reason to install rp-pppoe
setuid-root.  It is normally invoked by pppd, and pppd must be either
invoked by root or setuid-root itself.  Could you name a scenario in
which a setuid-root rp-pppoe is needed?

Regards,

David.

Reply to:

Follow-Ups:
- Re: DSA 557-1 and CAN-2004-0564
  - From: Martin Schulze <joey@infodrom.org>
- Re: DSA 557-1 and CAN-2004-0564
  - From: Max Vozeler <max@hinterhof.net>

References:
- Re: DSA 557-1 and CAN-2004-0564
  - From: "David F. Skoll" <dfs@roaringpenguin.com>
- Re: DSA 557-1 and CAN-2004-0564
  - From: Martin Schulze <joey@infodrom.org>

Prev by Date: Re: DSA 557-1 and CAN-2004-0564
Next by Date: Re: DSA 557-1 and CAN-2004-0564
Previous by thread: Re: DSA 557-1 and CAN-2004-0564
Next by thread: Re: DSA 557-1 and CAN-2004-0564
Index(es):
- Date
- Thread