[1526] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Re: Yet Another DIP Exploit?

daemon@ATHENA.MIT.EDU (Uri Blumenthal)
Sun May 4 04:34:32 1997

From: Uri Blumenthal <uri@watson.ibm.com>
To: linux-security@redhat.com
Date: Sat, 3 May 1997 22:29:33 -0400 (EDT)
In-Reply-To: <199705020719.JAA00866@cave.BitWizard.nl> from "Rogier Wolff" at May 2, 97 09:19:55 am
Reply-To: uri@watson.ibm.com
Resent-From: linux-security@redhat.com

Rogier Wolff says:
> We're getting conflicting reports "it works for me" and "i can't
> reproduce the bug". Alex says it is an old one as well. 
> Lets keep in mind that:
>    - Program writers should NEVER recommend making their programs 
>      setuid as an easy way to allow non-root users to use their program
>      unless they have taken extreme measures to prevent exploits.

This program *must* run set-uid root. The measures *were* taken to
prevent several exploits.

>    - Some distributions may remove setuid bits to improve security.
>      My Red Hat 4.0 and 3.0.3 systems both don't have setuid bits on
>      dip.

Stupid.

> Suggestions for patching dip? OK. 
> Why is dip setuid? To add routes and stuff? OK. So make sure that
> it exchanges real and effective uid in all other code-pieces.
> This does NOT protect against buffer overrun exploits.

I'm sorry but from this it is obvious you know less than nothing
about DIP internals. Feel free to look at the sources, or to
refrain from comments on something outside your area of
expertise.
-- 
Regards,
Uri		uri@watson.ibm.com
-=-=-=-=-=-=-
<Disclaimer>


home help back first fref pref prev next nref lref last post