The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ksrt@DEC.NET: KSR[T] Advisory #3: updatedb / crontabs]

Jason Costomiris <jcostom@sjis.com> writes:

> Debian is not mentioned in this advisory.  Is that due to the fact that
> Debian releases are not vulnerable to this attack, or that they just
> didn't consult with us?


I suspect that we weren't consulted.  At one time in the past,
updatedb was run as

	 su nobody -c "cd / && updatedb" 2>/dev/null

Some people did not like having a directory and various files
permanently owned by nobody.  Thus, it was changed to run as:

	cd / && updatedb --localuser=nobody 2>/dev/null

which runs sort as root.  This is probably a security hole.  Redhat
uses a form of 
	su -c "updatedb"

While it is easy under Redhat to force an arbitrary file to be copied
to the database, since Redhat's mv is done by root, I don't think that
is a security risk.  The file to which nobody writes can also be
linked to anything.  Again, I don't think that is a risk.

The version of SuSE still seems to have the security hole, contrary to 
their claims.

Will the security teams please investigate this.


-- 
Kevin Dalley
kevin@aimnet.com


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .