The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cron Security Hole

To: Debian Private <debian-private@lists.debian.org>
Subject: Re: Cron Security Hole
From: Daniel Quinlan <quinlan@pathname.com>
Date: 17 Dec 1996 20:51:03 -0800
Importance: low
In-reply-to: Christoph Lameter's message of Tue, 17 Dec 1996 19:31:53 -0800 (PST)
Priority: non-urgent
References: <Pine.LNX.3.95.961217192918.1050A-100000@waterf.org>
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"qOvkh.0.qK.YXtjo"@master.debian.org>
Resent-reply-to: debian-private@lists.debian.org
Resent-sender: debian-private-request@lists.debian.org
Sender: quinlan@pathname.com (Daniel Quinlan)
Sender: quinlan@proton.pathname.com

-----BEGIN PGP SIGNED MESSAGE-----

[ Please don't Cc: me when replying to this message on a mailing list ]

Christoph Lameter <clameter@waterf.org> writes:

> True. But the fix might not come up that fast. Having something like
> suidmanager allows provisional fixes to the system. For example I could
> have granted a closed group of users that urgently need access to cron
> still that access while switching off crontab for the general public.

suidmanager isn't required for provisional fixes.  It's main purpose is
as a work-around for maintainers who release insecure packages *after*
the system administrator (rather than the package maintainer) becomes
aware of them.

I think the burden of basic security should be on package maintainers,
not system administrators.  Instead of demanding that package maintainers
add hooks so we can claim provisional security if the system
administrator is aware of the holes we aren't fixing, perhaps we could
consider a better approach.

>> Anything else is a work-around that requires an omniscient system
>> administrator.

> Just someone who knows how setuid binary permissions work.

And is aware of every security hole.

- -- 
Daniel Quinlan (quinlan@pathname.com)   At work (quinlan@transmeta.com)
http://www.pathname.com/~quinlan/       Please don't Cc: me when replying      
PGP key available - http or finger	to this message on a mailing list.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv

iQCVAwUBMrd4NakybebRDjw1AQGqSwQAq4LN/106tjBApjxIMXzNFvmb4dzps6Vb
mBfcC0ZCHN/DR6c0/gbc2lVt2LLrDD8g0xWoDr/LxWSPmyGg0pjatS1FhgzFbRtc
YH1ANAImx1MyaVqAj69ZG9Nb4FD5LV8MPpJkMQ6mB09fYQHcM6gPCNSMCbfGWv4/
1rm3cCJJndU=
=DyUY
-----END PGP SIGNATURE-----

--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Follow-Ups:
- Re: Cron Security Hole
  - From: Christoph Lameter <clameter@waterf.org>

References:
- Re: Cron Security Hole
  - From: Christoph Lameter <clameter@waterf.org>

Prev by Date: Re: Composit list of reported problems with 1.2
Next by Date: Re: Cron Security Hole
Previous by thread: Re: Cron Security Hole
Next by thread: Re: Cron Security Hole
Index(es):
- Date
- Thread