[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #29755] gdomap information disclosure vulnerabilities
From: |
Richard Frith-Macdonald |
Subject: |
[bug #29755] gdomap information disclosure vulnerabilities |
Date: |
Wed, 05 May 2010 09:54:07 +0000 |
User-agent: |
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Version/4.0.5 Safari/531.22.7 |
Follow-up Comment #4, bug #29755 (project gnustep):
> In most typical GNUstep setups gdomap is no longer needed,
> so we may just need a bit more documentation for distributions
> about when to install it at all
That's like saying the spell server and sound daemons are not needed (because
few people use them), and therefore should not be installed by most
distributions.
When to install would be *always* ... otherwise networked distributed objects
are broken.
The issue is whether a distribution should install the program setuid ... and
of course it is (and always has been) recommended that it's started at system
boot time (in which case the setuid flag is not needed).
We should perhaps change our install script to install without the setuid
flag, forcing the distributors to do that themselves if they want it.
> Otherwise the dropping of the privileges sounds like the best option.
Unfortunately that's not an easy option since not all systems actually allow
you to restore privileges once dropped, and you need to be privileged to open
the port to work on. I don't actually think that would improve security
significantly (or at all as long as access() works) now that the code uses
access() to check the files anyway.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?29755>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [bug #29755] gdomap information disclosure vulnerabilities, Dan Rosenberg, 2010/05/03
- [bug #29755] gdomap information disclosure vulnerabilities, Fred Kiefer, 2010/05/03
- [bug #29755] gdomap information disclosure vulnerabilities, Richard Frith-Macdonald, 2010/05/03
- [bug #29755] gdomap information disclosure vulnerabilities, Fred Kiefer, 2010/05/05
- [bug #29755] gdomap information disclosure vulnerabilities,
Richard Frith-Macdonald <=
- [bug #29755] gdomap information disclosure vulnerabilities, Richard Frith-Macdonald, 2010/05/05
- Re: [bug #29755] gdomap information disclosure vulnerabilities, Dan Rosenberg, 2010/05/05
- Re: [bug #29755] gdomap information disclosure vulnerabilities, Richard Frith-Macdonald, 2010/05/05
- Re: [bug #29755] gdomap information disclosure vulnerabilities, Dan Rosenberg, 2010/05/05
- Re: [bug #29755] gdomap information disclosure vulnerabilities, Richard Frith-Macdonald, 2010/05/06
Re: [bug #29755] gdomap information disclosure vulnerabilities, Dan Rosenberg, 2010/05/04