Date: Tue, 25 Jun 2002 11:40:15 +1000 (Australia/ACT) From: Darren Reed <avalon@coombs.anu.edu.au> To: deraadt@cvs.openbsd.org (Theo de Raadt) Cc: nectar@FreeBSD.ORG (Jacques A. Vidrine), freebsd-security@FreeBSD.ORG Subject: Re: Hogwash Message-ID: <200206250140.LAA26616@caligula.anu.edu.au> In-Reply-To: <200206250111.g5P1BVLJ015666@cvs.openbsd.org> from "Theo de Raadt" at Jun 24, 2002 07:11:30 PM
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Theo de Raadt, sie said: > > > I don't disagree that leaks happen. That's Just the Way It Is. > > Not this time. > > > I'd > > rather we had the information now to make wise choices about what to > > do with deployed systems, custom hacks, and older-but-still-supported > > releases --- knowing there is a possibility for `leakage' that grows > > with time. > > Ask your vendor. And ask them to read the following (which I am > re-posting since people appear not to have read it carefully enough), > where I lay out very very very clearly what your choices and your > vendor's choices are. If you don't like those choices, turn it off. > What more do you expect? Ice cream and a pat on the head? You've > never had it better! You get a warning days and days in advance, with > no leak, and you shoot the messenger! Bang! As I said: Hogwash. What I like least about this new bug is that the workaround is to use a new feature called "Priviledge Separation". Maybe it wouldn't have mattered what the "next new bug" was, this would just have been one defence. The timing is quite ironic. The paranoia in me is screaming to resist and I can't help but ponder, does enabling priviledge separation disable the exploit or does it just limit it to the userid sshd runs as in this mode ? Can an attacker still get a remote shell (just not root) if priviledge separation is enabled ? Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206250140.LAA26616>