The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security: How we did it

To: clameter@waterf.org (Christoph Lameter)
Subject: Re: Security: How we did it
From: Chris Fearnley <cjf@netaxs.com>
Date: Tue, 19 Nov 1996 22:10:09 -0500 (EST)
Cc: debian-private@lists.debian.org
Importance: low
In-reply-to: <Pine.LNX.3.95.961115112701.9809A-100000@waterf.org> from "Christoph Lameter" at Nov 15, 96 12:17:57 pm
Priority: non-urgent
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"Yn2oW3.0.TM5.lddao"@master.debian.org>
Resent-reply-to: debian-private@lists.debian.org
Resent-sender: debian-private-request@lists.debian.org

'Christoph Lameter wrote:'
>
>Since there were so many posts regarding security in the last days and so
>much what I would consider inaccurate representations. I thought a summary
>of how security is handled on our campus would hopefully bring things
>into the correct perspective.

This is the reason you have made so many mistakes: many Debian admins
are in /completely/ different situations.  When you make a package that
has security implications, the package /must/ take into account all
possible installation situations (actually, all packages must do this
regardless of security implications).  Since many admins wouldn't
necessarily think that dosemu (or etc.,) would be installed suid, the
package maintainer must at least warn the naive sysadmin.  But since no
one likes trivial postinst questions, it's better to make the package
install securely and the admin can add risky priveledges as a local
site configuration.

I think sendmail should not be installed suid.  I have sucessfully
installed sendmail sgid mail and it seems to work fine (the only loss
of functionality that I notice is .forward doesn't work if the /home
directories are not world readable -- but .procmailrc works since
procmail is installed suid root (and I've never heard of security holes
in procmail...knock on wood)).

-- 
Christopher J. Fearnley            |    Linux/Internet Consulting
cjf@netaxs.com, cjf@onit.net       |    UNIX SIG Leader at PACS
http://www.netaxs.com/~cjf         |    (Philadelphia Area Computer Society)
ftp://ftp.netaxs.com/people/cjf    |    Design Science Revolutionary
"Dare to be Naive" -- Bucky Fuller |    Explorer in Universe

--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

References:
- Security: How we did it
  - From: Christoph Lameter <clameter@waterf.org>

Prev by Date: Reorganization of 'misc'
Next by Date: The unanswered Question
Previous by thread: Re: Security: How we did it
Next by thread: Re: Security: How we did it
Index(es):
- Date
- Thread