[1526] in linux-security and linux-alert archive
[linux-security] Re: Re: Yet Another DIP Exploit?
daemon@ATHENA.MIT.EDU (Uri Blumenthal)
Sun May 4 04:34:32 1997
From: Uri Blumenthal <uri@watson.ibm.com>
To: linux-security@redhat.com
Date: Sat, 3 May 1997 22:29:33 -0400 (EDT)
In-Reply-To: <199705020719.JAA00866@cave.BitWizard.nl> from "Rogier Wolff" at May 2, 97 09:19:55 am
Reply-To: uri@watson.ibm.com
Resent-From: linux-security@redhat.com
Rogier Wolff says:
> We're getting conflicting reports "it works for me" and "i can't
> reproduce the bug". Alex says it is an old one as well.
> Lets keep in mind that:
> - Program writers should NEVER recommend making their programs
> setuid as an easy way to allow non-root users to use their program
> unless they have taken extreme measures to prevent exploits.
This program *must* run set-uid root. The measures *were* taken to
prevent several exploits.
> - Some distributions may remove setuid bits to improve security.
> My Red Hat 4.0 and 3.0.3 systems both don't have setuid bits on
> dip.
Stupid.
> Suggestions for patching dip? OK.
> Why is dip setuid? To add routes and stuff? OK. So make sure that
> it exchanges real and effective uid in all other code-pieces.
> This does NOT protect against buffer overrun exploits.
I'm sorry but from this it is obvious you know less than nothing
about DIP internals. Feel free to look at the sources, or to
refrain from comments on something outside your area of
expertise.
--
Regards,
Uri uri@watson.ibm.com
-=-=-=-=-=-=-
<Disclaimer>