The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cron Security Hole

To: Debian Private <debian-private@lists.debian.org>
Subject: Re: Cron Security Hole
From: Daniel Quinlan <quinlan@pathname.com>
Date: 17 Dec 1996 13:32:42 -0800
Importance: low
In-reply-to: Christoph Lameter's message of Tue, 17 Dec 1996 05:04:17 -0800 (PST)
Priority: non-urgent
References: <Pine.LNX.3.95.961217050043.17347A-100000@waterf.org>
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"4pcSq3.0.1N.H6njo"@master.debian.org>
Resent-reply-to: debian-private@lists.debian.org
Resent-sender: debian-private-request@lists.debian.org
Sender: quinlan@pathname.com (Daniel Quinlan)
Sender: quinlan@proton.pathname.com

-----BEGIN PGP SIGNED MESSAGE-----

Christoph Lameter <clameter@waterf.org> writes:

> Yes. I immediately got a root shell. This works even on our Shell
> Server!!!!!
> 
> I solved it by 
> 
> chmod u-s /usr/bin/crontab
> 
> Please please let us require all suid software to be released
> with suidmanager or fix dpkg so that it does it by itsef !!!!
> 
> On the next upgrade I have to remember resetting that suid bit!

The correct fix is for the cron maintainer to close the security
hole in the next version of the package.

Anything else is a work-around that requires an omniscient system
administrator.

- -- 
Daniel Quinlan (quinlan@pathname.com)   At work (quinlan@transmeta.com)
http://www.pathname.com/~quinlan/       PGP key available - http or finger

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv

iQCVAwUBMrcReakybebRDjw1AQEE8wP7BJFvWj9Ao+5f9V3aW0x/0NFbZkB6gCHm
1UJuFK/B/ImJp3c2Uf1RMzQEM4Py9OHf38zSVae4OrSvLnOLgsbh3k4m3FHyI2m1
Hhw9scH3Zu0T6SjbsxXlQ8YU8Iffr0c5w8tKN3D6s1xAEoKstdYJeezsizU06tQC
Yy0r884j1Cw=
=oriu
-----END PGP SIGNATURE-----


--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Follow-Ups:
- Re: Cron Security Hole
  - From: Christoph Lameter <clameter@waterf.org>

References:
- Cron Security Hole
  - From: Christoph Lameter <clameter@waterf.org>

Prev by Date: Re: Composit list of reported problems with 1.2
Next by Date: Re: Composit list of reported problems with 1.2
Previous by thread: Cron Security Hole
Next by thread: Re: Cron Security Hole
Index(es):
- Date
- Thread