The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

The unanswered Question

To: debian-private@lists.debian.org
Subject: The unanswered Question
From: Christoph Lameter <clameter@waterf.org>
Date: Tue, 19 Nov 1996 20:19:21 -0800 (PST)
Importance: low
Priority: non-urgent
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"q5CD_.0.196.ceeao"@master.debian.org>
Resent-reply-to: debian-private@lists.debian.org
Resent-sender: debian-private-request@lists.debian.org

I have the following files on all my servers (except the Shell Server):

[miriam]~:l /usr/sbin/{strobe,statnet}
-rwsr-x---   1 root     admin       50404 Sep 11 12:14 /usr/sbin/statnet
-rwsr-x---   1 root     admin       10636 Sep 11 12:14 /usr/sbin/strobe

These are diagnostic commands used daily by system administrators (we
have more than 300 entities on the campus network to administer). All
administrators are in the group admin.

The commands are part of the netdiag package and where made setsuid
later with a script.

(Disclaimer: THE NETDIAG PACKAGE DOES NOT INSTALL SETSUID BINARIES!)

The question that I have tried to ask again and again and that I never got
a clear answer for is:

Why is the above setup a security risk?

Why do you assume that the binaries can be executed or their
security holes be exploited by anyone on the system?

I would like to package netdiag in some way that it generates the
permissions indicated above on install/upgrade.

I have now to manually run some scripts after each upgrade on a
server. We have 5 Linux servers, with more to come. Then there are some
Linux workstations. It gets a little bit unnerving to always keep an eye
on those things. The admin group can easily be handled by NIS.

--- +++ --- +++ --- +++ --- +++ --- +++ --- +++ --- +++ ---
PGP Public Key  =  FB 9B 31 21 04 1E 3A 33  C7 62 2F C0 CD 81 CA B5 

--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Follow-Ups:
- Re: The unanswered Question
  - From: Daniel Quinlan <quinlan@pathname.com>
- Re: The unanswered Question
  - From: Rob Browning <osiris@cs.utexas.edu>

Prev by Date: Re: Security: How we did it
Next by Date: Re: The unanswered Question
Previous by thread: Re: Reorganization of 'misc'
Next by thread: Re: The unanswered Question
Index(es):
- Date
- Thread