[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug #29755] gdomap information disclosure vulnerabilities
From: |
Richard Frith-Macdonald |
Subject: |
Re: [bug #29755] gdomap information disclosure vulnerabilities |
Date: |
Wed, 5 May 2010 16:56:09 +0100 |
On 5 May 2010, at 16:04, Dan Rosenberg wrote:
> I'm still a bit unsure about this fix. I think that it should either
> be made explicit that gdomap is never intended to be installed setuid
> (and as a result, is never installed that way), or it should be fixed
> so that it's completely safe to run setuid - choosing somewhere in
> between leaves some users open to vulnerability.
I think the current state is that it's safe to run setuid to root.
But ... that doesn't mean we should start recommending having it setuid.
> I haven't seen the actual code of the fix, but it sounds as if it's a
> good start but incomplete. As Fred mentioned, unprivileged users
> should not be able to open and parse other users' files at all, even
> if the error information returned is limited.
I'm not sure about that ... when there's no security issue in doing so, it
seems reasonable to be able to have different users share common configuration
information (after all, that's what group permissions are for). Forcing all
users to have their own separate config files would rather defeat the point.
It's hard to see how the current code (reporting problem line number) could
provide useful information to a cracker, but I suppose we could simply report
nothing at all.
- [bug #29755] gdomap information disclosure vulnerabilities, Dan Rosenberg, 2010/05/03
- [bug #29755] gdomap information disclosure vulnerabilities, Fred Kiefer, 2010/05/03
- [bug #29755] gdomap information disclosure vulnerabilities, Richard Frith-Macdonald, 2010/05/03
- [bug #29755] gdomap information disclosure vulnerabilities, Fred Kiefer, 2010/05/05
- [bug #29755] gdomap information disclosure vulnerabilities, Richard Frith-Macdonald, 2010/05/05
- [bug #29755] gdomap information disclosure vulnerabilities, Richard Frith-Macdonald, 2010/05/05
- Re: [bug #29755] gdomap information disclosure vulnerabilities, Dan Rosenberg, 2010/05/05
- Re: [bug #29755] gdomap information disclosure vulnerabilities,
Richard Frith-Macdonald <=
- Re: [bug #29755] gdomap information disclosure vulnerabilities, Dan Rosenberg, 2010/05/05
- Re: [bug #29755] gdomap information disclosure vulnerabilities, Richard Frith-Macdonald, 2010/05/06
Re: [bug #29755] gdomap information disclosure vulnerabilities, Dan Rosenberg, 2010/05/04