[13133] in bugtraq
Re: majordomo local exploit
daemon@ATHENA.MIT.EDU (Christopher X. Candreva)
Wed Dec 29 20:16:47 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.SUN.4.10.9912290949330.22561-100000@westnet.com>
Date: Wed, 29 Dec 1999 09:52:33 -0500
Reply-To: "Christopher X. Candreva" <chris@WESTNET.COM>
From: "Christopher X. Candreva" <chris@WESTNET.COM>
X-To: Brock Tellier <btellier@USA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991229024744.23364.qmail@nwcst292.netaddress.usa.net>
On Tue, 28 Dec 1999, Brock Tellier wrote:
> but wrapper immediatly setuid()'s and setgid()'s to owner:daemon before
> execing the wrapped program.
Bugs in resend aside, this appears to be an incorrect configuration of
wrapper. majordomo should have it's own group as well as user, and it
should change to that group, not daemon. This is according to Doc/FAQ in the
Majordomo 1.94.4 distribution.
The whole point of the wrapper and unique uid/gid is to limit the effect of
such bugs.
-Chris
==========================================================
Chris Candreva -- chris@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
