Date: Sat, 12 Jul 1997 03:42:58 -0400 From: "Joel N. Weber II" <devnull@gnu.ai.mit.edu> To: jdp@polstra.com Cc: chat@FreeBSD.ORG Subject: Re: CVSup mirrors and version 15.1 Message-ID: <199707120742.DAA12377@psilocin.gnu.ai.mit.edu> In-Reply-To: <199707112313.QAA18955@austin.polstra.com> (message from John Polstra on Fri, 11 Jul 1997 16:13:03 -0700)
next in thread | previous in thread | raw e-mail | index | archive | help
Date: Fri, 11 Jul 1997 16:13:03 -0700 From: John Polstra <jdp@polstra.com> Sender: owner-hubs@FreeBSD.ORG * It fixes a potentially nasty security problem. Under certain circumstances, it was possible for a file's setuid and/or setgid bits to be transferred even though the owner/group were not. Since the clients often run as root, this meant that a setuid file owned by Joe Blow on the server host would become a setuid-to-root file on the client. Not nice. I put fixes for this into both the client and the server, and all the US servers are already upgraded. So you are already reasonably protected. But wouldn't you feel better running a client that protected you, so you wouldn't have to trust somebody else's server? Maybe I'm missing something, but aren't you trusting someone else's server whenever you get a kernel from that server?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199707120742.DAA12377>