[3151] in bugtraq
Re: Possible bufferoverflow condition in lpr, xterm and xload
daemon@ATHENA.MIT.EDU (Elliot Lee)
Tue Aug 13 20:20:03 1996
Date: Tue, 13 Aug 1996 13:56:43 -0400
Reply-To: Elliot Lee <sopwith@redhat.com>
From: Elliot Lee <sopwith@redhat.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <199608131325.JAA21033@denali.contract.kent.edu>
On Tue, 13 Aug 1996, Mike Acar wrote:
> It might be worth noting that when I ran tiger on my bastardized and
> upgraded Red Hat 2.0 system, it produced a 7 MB output. Mostly this was
> complaining about lots of things being group bin, root, etc writable. Or
> perhaps this is no surprise to anybody. To Red Hat's credit, none of the
> s[ug]id binaries they provide is writable by anybody but the owner.
1. 2.0 is ancient - if you are still running it w/o upgrades (which I
doubt, from the "bastardized" part :) there are worse security holes to
worry about.
2. The default setup for Red Hat is to have each person in their own
group, and have a umask of 002. When you change things, g+w permissions
got added, and tiger squawked. The pro's and con's of the individual group
scheme as opposed to the UNIX norm are arguable, but you shouldn't have to
worry about any additional security problems with it (?)
--==== Elliot Lee = <sopwith@redhat.com> == Red Hat Software ====--
"Usenet is like a herd of performing elephants with diarrhea; massive,
difficult to redirect, awe-inspiring, entertaining, and a source of
mind-boggling amounts of excrement when you least expect it."
