Date: Sun, 9 Sep 2001 04:52:27 +0400 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: Kris Kennaway <kris@obsecurity.org> Cc: Matt Dillon <dillon@earth.backplane.com>, Jordan Hubbard <jkh@FreeBSD.ORG>, security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010909045226.A33654@nagual.pp.ru> In-Reply-To: <20010908174304.A88816@xor.obsecurity.org> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Sep 08, 2001 at 17:43:04 -0700, Kris Kennaway wrote: > On Sat, Sep 08, 2001 at 05:02:57PM -0700, Kris Kennaway wrote: > > > Looks like setting the schg flag is the only feasible containment > > solution for now. > > Here's a proposed fix. It just disallows anyone other than root from > specifying an alternate configuration file, for the setuid utilities > (which was the cause of the vulnerability here, AFAIK). What you try to fix this way? It brokes normal users dialing to theirs systems, they always specify their own files. Consider uu* as user level utilities. The only point of restriction is restrict their access to dialing devices, not to utulities. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010909045226.A33654>