The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

permissions on setuid binaries

To: debian-private@lists.debian.org
Subject: permissions on setuid binaries
From: Daniel Quinlan <quinlan@proton.pathname.com>
Date: 18 Nov 1996 10:36:04 -0800
Importance: low
In-reply-to: Christoph Lameter's message of Mon, 18 Nov 1996 08:41:26 -0800 (PST)
Priority: non-urgent
References: <Pine.LNX.3.95.961118083409.27769F-100000@waterf.org>
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"dXjV9.0.Zo.Z0Bao"@master.debian.org>
Resent-reply-to: debian-private@lists.debian.org
Resent-sender: debian-private-request@lists.debian.org

Christoph Lameter <clameter@waterf.org> writes:

> Regarding the netdiag package: The setuid's that were once part of
> the package were only executable by a members of a certain
> group. [...]

I'm wondering if it would be better to leave it executable and be able
to print an appropriate error message if the user isn't in the right
group.  Thoughts?

>>> One example: the very existence of a must world readable file like
>>> /etc/passwd.

>> Using shadow passwords fixes this.  Unless you install one of
>> Chrisoph's packages, of course.

> Look I have had enough of this nonsense. Ok. You found a security
> hole in dosemu but to make this general claim is really
> irresponsible.

My error.  I should have qualified the statement so that it would be
clear I wasn't speaking of every package you have dnoe.

Here is a rephrasing that gets to the technical substance of what I
was saying (about your irresponsible claim about /etc/passwd).

  Using shadow passwords fixes this unless you install a package
  that includes a setuid root program that is not configured or
  designed properly to run setuid root.

-- 
Daniel Quinlan <quinlan@pathname.com>  |  finger quinlan@pathname.com for PGP
quinlan@transmeta.com (at work)        |  http://www.pathname.com/~quinlan/

--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Follow-Ups:
- Re: permissions on setuid binaries
  - From: Christoph Lameter <clameter@waterf.org>

References:
- Re: Security: How we did it
  - From: Christoph Lameter <clameter@waterf.org>

Prev by Date: level of discourse
Next by Date: Re: Security: How we did it
Previous by thread: Re: Security: How we did it
Next by thread: Re: permissions on setuid binaries
Index(es):
- Date
- Thread