[3698] in bugtraq
Re: Security Problems in XMCD 2.1
daemon@ATHENA.MIT.EDU (repayne@jeeves.net)
Wed Nov 27 14:16:12 1996
Date: Wed, 27 Nov 1996 10:16:32 -0600
Reply-To: repayne@jeeves.net
From: repayne@jeeves.net
X-To: felicity@KLUGE.NET
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@Netspace.Org>
On Tue, 26 Nov 1996 16:14:48, Theo Van Dinter said:
> On a side tangent, I grabbed the 2.1 binary (since I don't have the motif
> libraries under Linux...) and installed it. It's not setuid by default...
Solaris 2, on the other hand, the binary gets installed SUID, but doesn't
seem to require it (removing SUID bit, everything still seems to function,
although database may not be updated for new CD's).
> On a side tangent, the standard rule of thumb is: "If a program doesn't
> really need SUID/GID, don't give it SUID/GID." ... Doesn't fix the buffer
> overrun, but it doesn't give the user root either...
I believe that also should go without saying. The problem, I believe, is
that many systems require that a binary is SUID in order to access the
drives at this level.
-rob
