[880] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 [Forwarded e-mail from Security Team]

daemon@ATHENA.MIT.EDU (Peter Tobias)
Thu Jul 4 16:00:46 1996

To: juphoff@tarsier.cv.nrao.edu (Jeff Uphoff)
Date: Thu, 4 Jul 1996 16:40:51 +0200 (MET DST)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Cc: linux-security@tarsier.cv.nrao.edu
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <199607032330.TAA30525@tarsier.cv.nrao.edu> from "Jeff Uphoff" at Jul 3, 96 07:30:06 pm

Jeff Uphoff wrote:
> Red Hat 3.0.3 and Slackware 3.0 (the only distributions I've checked so
> far) appear safe: by default, they do not install rdist setuid--though
> the version that comes with them (rdist-6.1.0) would be vulnerable if
> made setuid (by hand) after installation, for whatever strange reason.
> (I've inspected the code, and the unchecked buffer is rather obvious.)
> 
> Note that there is no need to install rdist setuid if it is compiled to
> use rsh vice rcmd(); rsh is the (safe) default, and is the compilation
> method used by both Red Hat and Slackware.
> 
> Anyone care to take a look at other Linux distributions to check for
> default installations that are configured for setuid/rcmd()?

The Debian distribution does not install rdist setuid.


Thanks,

Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@debian.org
 Constantiaplatz 4, 26723 Emden, Germany     tobias@linux.de

home help back first fref pref prev next nref lref last post