From owner-freebsd-security  Fri Jun 23 13:34:46 2000
Delivered-To: freebsd-security@freebsd.org
Received: from erouter0.it-datacntr.louisville.edu (erouter0.it-datacntr.louisville.edu [136.165.1.36])
	by hub.freebsd.org (Postfix) with ESMTP id 6884F37B8B9
	for <freebsd-security@FreeBSD.ORG>; Fri, 23 Jun 2000 13:34:37 -0700 (PDT)
	(envelope-from k.stevenson@louisville.edu)
Received: from osaka.louisville.edu (osaka.louisville.edu [136.165.1.114])
	by erouter0.it-datacntr.louisville.edu (Postfix) with ESMTP
	id 6E2E8251F3; Fri, 23 Jun 2000 16:34:12 -0400 (EDT)
Received: by osaka.louisville.edu (Postfix, from userid 15)
	id 77DCC18616; Fri, 23 Jun 2000 16:34:11 -0400 (EDT)
Date: Fri, 23 Jun 2000 16:34:11 -0400
From: Keith Stevenson <k.stevenson@louisville.edu>
To: Mike Tancsa <mike@sentex.ca>
Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994
Message-ID: <20000623163411.A1412@osaka.louisville.edu>
References: <Pine.BSF.4.21.0006222230390.65791-100000@achilles.silby.com> <4.2.2.20000622201823.0479a690@mail.sentex.net> <Pine.BSF.4.21.0006222230390.65791-100000@achilles.silby.com> <200006231713.NAA49665@khavrinen.lcs.mit.edu> <3.0.5.32.20000623154848.02d2d6c0@marble.sentex.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <3.0.5.32.20000623154848.02d2d6c0@marble.sentex.ca>; from mike@sentex.ca on Fri, Jun 23, 2000 at 03:48:48PM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Jun 23, 2000 at 03:48:48PM -0400, Mike Tancsa wrote:
> What about 
> 
> --enable-paranoid 
> 
> as part of the config ? As so much seems to be related to the site exec
> command, perhaps its best to just disable this ?

While I'm all for actually fixing the problems in the code, I've found that
the --enable-paranoid options to be a good one.  I've been tinkering around
with the exploit and the paranoid option seems to defend against it.  I don't
think that any of my users will miss the SITE EXEC commands.

--enable-paranoid probably should be added to the port build.

Regards,
--Keith Stevenson--

-- 
Keith Stevenson
System Programmer - Data Center Services - University of Louisville
k.stevenson@louisville.edu
GPG key fingerprint =  332D 97F0 6321 F00F 8EE7  2D44 00D8 F384 75BB 89AE


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message