[5908] in bugtraq
Re: Security flaw in either DIT TransferPro or Solaris
daemon@ATHENA.MIT.EDU (The Man)
Wed Jan 7 15:33:19 1998
Date: Wed, 7 Jan 1998 12:03:35 -0800
Reply-To: The Man <scott@LACKLUSTER.NET>
From: The Man <scott@LACKLUSTER.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19980105005733.32939@lackluster.net>; from The Man on Mon,
Jan 05, 1998 at 12:57:33AM -0800
On Mon, Jan 05, 1998 at 12:57:33AM -0800, The Man wrote:
>
> They should, of course, be mode 0640. I'm not sure if this is Solaris's fault
> or the fault of this package. But no matter whose fault it is, it's quite
> nasty. :)
>
The fix for this is to change the entry in /etc/minor_perm for the ff driver.
I've been contacted by two people from DIT, and neither seem to think that
having a root device readable and writable by anyone with system access is
a security problem. They say that the devices must have these permissions
in order for users to access devices through the TransferPro
application. There are other methods, of course.
--
Scott Smith
scott@lackluster.net
Mail received via UUCP, read with Mutt, and composed with vi on NetBSD-1.2G.
