Re: DSA 557-1 and CAN-2004-0564
David F. Skoll wrote:
> On Mon, 4 Oct 2004, Martin Schulze wrote:
>
> > There are reasons users install it setuid / setgid, and these installations
> > are vulnerable.
>
> I disagree. There is absolutely *no* reason to install rp-pppoe
> setuid-root. It is normally invoked by pppd, and pppd must be either
> invoked by root or setuid-root itself. Could you name a scenario in
> which a setuid-root rp-pppoe is needed?
Please talk to the Debian maintainer of rp-pppoe since pppoe is installed
root.dip and setuid in Debian sarge and sid. The maintainer can be reached
through pppoe@packages.debian.org. Details about this package can be found
here: http://packages.debian.org/pppoe
Regards,
Joey
--
Everybody talks about it, but nobody does anything about it! -- Mark Twain
Please always Cc to me when replying to me on the lists.
Reply to: