From owner-freebsd-security Sun Sep 3 13:26:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from falcon.prod.itd.earthlink.net (falcon.prod.itd.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id 7FCF037B423 for ; Sun, 3 Sep 2000 13:26:50 -0700 (PDT) Received: from earthlink.net (ip157.charleston3.sc.pub-ip.psi.net [38.30.242.157]) by falcon.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id NAA26821; Sun, 3 Sep 2000 13:26:31 -0700 (PDT) Message-ID: <39B2B33A.EC657BD3@earthlink.net> Date: Sun, 03 Sep 2000 16:23:22 -0400 From: Jeff Evarts Organization: Riventree X-Mailer: Mozilla 4.08 [en] (X11; I; OpenBSD 2.7 i386) MIME-Version: 1.0 To: lidl@pix.net Subject: What level of bug is worth reporting? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, This is really a question about what-level-of-bug-is-worth-reporting. This is what I found: IF ( Obscure-Service-X is turned on in Open/Free/Net-BSD ) [Haven't checked BSD/OS] THEN Any local user can set the access time of any file to the current time Any local user can set the mode of any tty device to rw------, whether it's in use or not ENDIF Both of these seem like potential DOS problems to me, though I cannot think of any way to exploit them to become root or anything, and the code in question has worked the way it does for over 2 years. Is a "problem" like this worth reporting, or does it just make you look like a nitpicker? -Jeff Evarts --riventree@earthlink.net ---http://www.ecst.csuchico.edu/~amarth/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message