From owner-freebsd-security  Thu Dec 16 10:37: 9 1999
Delivered-To: freebsd-security@freebsd.org
Received: from anarcat.dyndns.org (phobos.IRO.UMontreal.CA [132.204.20.20])
	by hub.freebsd.org (Postfix) with ESMTP id 92A5B1558E
	for <freebsd-security@FreeBSD.ORG>; Thu, 16 Dec 1999 10:37:06 -0800 (PST)
	(envelope-from spidey@anarcat.dyndns.org)
Received: by anarcat.dyndns.org (Postfix, from userid 1000)
	id 259451B71; Thu, 16 Dec 1999 13:37:18 -0500 (EST)
From: Spidey <beaupran@iro.umontreal.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Message-ID: <14425.12637.308602.637788@anarcat.dyndns.org>
Date: Thu, 16 Dec 1999 13:37:17 -0500 (EST)
To: Warner Losh <imp@village.org>
Cc: Robert Watson <robert+freebsd@cyrus.watson.org>,
	Chris England <cengland@obscurity.org>, freebsd-security@FreeBSD.ORG
Subject: Re: From BugTraq - FreeBSD 3.3 xsoldier root exploit (fwd) 
References: <14425.12035.757889.422296@anarcat.dyndns.org>
	<199912160615.XAA69151@harmony.village.org>
	<Pine.BSF.3.96.991216091552.26813A-100000@fledge.watson.org>
	<199912161828.LAA72864@harmony.village.org>
X-Mailer: VM 6.72 under 21.1 (patch 7) "Biscayne" XEmacs Lucid
Reply-To: Spidey <beaupran@iro.umontreal.ca>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Yes. Since I've been looking at setuid's on FBSD, my primary concern's
been with the ports. I wished there could be some way to have a
variable in the Makefiles that say "NOSETUID=3DYES". :))

We should make a a definite list of all the setuid's in the whole port
tree. Maybe the port maintainers can give a hand?

Darn.. d=E9j=E0 vu...=20

--- Big Brother told Warner Losh to write, at 11:28 of December 16:
> In message <14425.12035.757889.422296@anarcat.dyndns.org> Spidey writ=
es:
> : The patch fixes the exploit, not the suid bit.
>=20
> Yes.  I'm starting to think that a blanket policy of not setuid root
> games might not be a bad idea.
>=20
> Warner
>=20
>=20
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

--=20
Si l'image donne l'illusion de savoir
C'est que l'adage pretend que pour croire,
L'important ne serait que de voir

Lofofora


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message