Bug#189659: will adopt dnrd

To: Anibal Monsalve Salazar <A.Monsalve.Salazar@IEEE.org>, 189659@bugs.debian.org
Subject: Bug#189659: will adopt dnrd
From: Brian May <bam@debian.org>
Date: Sat, 26 Apr 2003 18:27:10 +1000
Message-id: <20030426082710.GB21401@snoopy.apana.org.au>
Reply-to: Brian May <bam@debian.org>, 189659@bugs.debian.org
In-reply-to: <20030424123006.1A44692@caribe.its.monash.edu.au>
References: <20030424123006.1A44692@caribe.its.monash.edu.au>

On Thu, Apr 24, 2003 at 10:30:06PM +1000, Anibal Monsalve Salazar wrote:
> SECURITY NOTE: dnrd is susceptible to buffer overflow attacks.
> However, by default dnrd changes to the "nobody" user. It also does
> a chroot to the /etc/dnrd directory, after checking that /etc/dnrd
> exists and contains no subdirectories and no executables and is only
> writable by root.

Using the nobody as a work around for possible security holes seems a
really bad idea.

At the very least, please consider using another user ID, as other
programs might be using the nobody user. If one program is compromised,
the rest will also become compromised if they are sharing the one user.

Also, even using a non-root, non-shared user id is not going to prevent
an attacker doing damage via a buggy daemon, non-root users can do bad
things too. eg. DOS attacks (ulimits should help here), attack computers
on private/firewalled networks, etc.
-- 
Brian May <bam@debian.org>

Reply to:

References:
- Bug#189659: will adopt dnrd
  - From: Anibal Monsalve Salazar <A.Monsalve.Salazar@IEEE.org>

Prev by Date: Bug#188690: marked as done (ITP: libheap-perl -- Perl extensions for keeping data partially sorted)
Next by Date: Processed: useless
Previous by thread: Bug#189659: will adopt dnrd
Next by thread: Bug#190562: ITP: splashutils -- User-space programs to manipulate the framebuffer splash logo and bootlogo.
Index(es):
- Date
- Thread