[898] in linux-security and linux-alert archive
Re: [linux-security] dip
daemon@ATHENA.MIT.EDU (Cosimo Leipold)
Fri Jul 12 11:36:07 1996
Date: Thu, 11 Jul 1996 01:55:03 -0400 (EDT)
From: Cosimo Leipold <leipold+@andrew.cmu.edu>
To: jordy@thirdwave.net (Jordy)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199607101720.TAA06048@rbit.co.za>
The problem with every system doesn't change. The question boils down to
how many people are going to take the time to change thing that are
potentially dangerous though not. For example, you might think dip was a
bad idea to have setuid, you might think that the best thing to do is to
make a dip group, nut how many of you will go and chmod dip and edit
your group file and make a group called dip? This is an example of a
*very* lazy person, but if you look at some other examples of security
holes, it often, if not always, comes down to someone just not taking
the time to *drop everything* and fix it. For example, a while back,
there was a posting here about convert.bas being insecure, you can still
find sites with convert.bas on them. However, altavista, which once let
you search for convert.bas now has removed all links with that refrence.
This is what everyone should do. (of course, you can still look things
up with date.bas and then just assume convert.bas still exsists...)
The problem, I feel doesn't lie in whether dip is SETUID(0) or not,
it lies in the fact that people just dont take the appropriate action
--> drop everything and fix it....