Re: [Tiger-devel] Tiger-3.1 Buffer Overflow bug

[Steve G]

Hello,

>> */etc/hosts.deny check for ALL:ALL
>
>Why? Shouldn't it be hosts.allow the one giving 
>the warning?

hosts.allow has its own problems, but if ALL:ALL isn't in
hosts.deny, then access is granted for everything. I
publish socket_wrappers which is an experimental fork of
tcp_wrappers, I also found a bug that if hosts.deny is not
world readable, access can be granted for things you
thought were protected. So maybe that check should be
added, too. If hosts.allow isn't world readable, then you
don't get access which is a fail safe position...unless
hosts.deny can't be read. There's alot of little issues
with tcp_wrappers.

It turns out that Red Hat never puts anything in
hosts.deny. Its always one of the first tasks setting up a
RH machine. There's no GUI for it, so many newbies miss it.
The sshd shipped by RH has tcp_wrappers enabled, but
without ALL:ALL, everyone can take a shot at your sshd if
you don't have a firewall.

>> * warn if any .rpmnew or .rpmsave files are found. 
>>Signs of an upgrade trying to replace a config. Admin
>>needs to handle the merge & delete them.
>
>if you can provide a simple check I can turn it
>into a module (see README.writemodules)

find / -name '*.rpm[sn]*'

Those files laying around are clearly an upgrade that needs
attention. The message should be something along the lines
of "An upgraded package (%s) was installed, but the
configuration of the new package may have changed, you need
to do a diff betwen the files and resolve differences...
deleting the rpmsave or rpmnew file when done."

Is 3.2 cvs only? Do you have published anonymous cvs
instructions? I can give you a baseline on a machine I just
installed today. I was just about to tighten it. Tell me
when your bug squashing is done I'll run a baseline for
you.

-Steve Grubb

__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com