Date: Mon, 1 Oct 2012 07:55:29 -0400 From: Eitan Adler <lists@eitanadler.com> To: Konstantin Belousov <kostikbel@gmail.com> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, Erik Cederstrand <erik@cederstrand.dk> Subject: Re: Opinion on checking return value of setuid(getuid())? Message-ID: <CAF6rxgmKWfefr5tvM3-0PQM3EKWockkb8A4sCiyYekxs5b4fGA@mail.gmail.com> In-Reply-To: <20121001110805.GL35915@deviant.kiev.zoral.com.ua> References: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> <20121001104901.GJ35915@deviant.kiev.zoral.com.ua> <F81C009D-F993-4398-B377-D0B4A0ABA7E3@cederstrand.dk> <20121001110805.GL35915@deviant.kiev.zoral.com.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1 October 2012 07:08, Konstantin Belousov <kostikbel@gmail.com> wrote: > I do not believe in the dreadful 'flood ping' security breach. Is a > local escalation possible with non-dropped root ? It is clearly a local escalation: a non-root user can do something which was intended only for root. It is a different question how serious the breach is. -- Eitan Adler
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAF6rxgmKWfefr5tvM3-0PQM3EKWockkb8A4sCiyYekxs5b4fGA>