[6880] in bugtraq
Re: SECURITY: Red Hat Linux 5.1 linuxconf bug
daemon@ATHENA.MIT.EDU (Sergio Ballestrero)
Mon Jun 1 12:44:34 1998
Date: Sat, 30 May 1998 11:54:56 +0200
Reply-To: Sergio Ballestrero <sergio@pratonext.it>
From: Sergio Ballestrero <sergio@PRATONEXT.IT>
X-To: "Michael K. Johnson" <johnsonm@redhat.com>,
Jacques Gelinas <jack@solucorp.qc.ca>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199805281502.LAA25071@tristan.redhat.com>
On Thu, 28 May 1998, Michael K. Johnson wrote:
> In Red Hat Linux 5.1, linuxconf version 1.11r11-rh2 was inadvertantly
> setuid root. This creates the potential for security holes that allow
> attackers to gain root access to your machine. (Users of Red Hat
> Linux 5.0 and earlier are NOT affected, as linuxconf was not included
> with any previous version of Red Hat Linux.)
>
> If you have installed Red Hat Linux 5.1, you can immediately remove
> the danger by logging in as root and running the command:
>
> chmod -s /bin/linuxconf
>
> We also recommend that you update to the latest version of linuxconf,
> linuxconf-1.11r11-rh3, which fixes this bug.
> Thanks to BUGTRAQ for finding and reporting this.
the binary RPMs have always been shipped with suid linuxconf. Does this
announce mean that linuxconf has been found insecure, so that is MUST not
be used suid ? I haven't seen anything about linuxconf on BUGTRAQ, apart
from your posting.
The fact is, linuxconf's most valuable feature, to me, is the possibility
to delegate user administration. If i drop SUID, i cannot do that anymore
- right ? And i cannot use remote admin, too.
So, if linuxconf is so insecure that one cannot dare having it suid, it
almost becomes useless.
Could you (Michael, Jacques) please clarify about Linuxconf security ?
It is fundamental to know whether the security risks are only from local
users, or also from external attacks.
Is there somebody doing security auditing on Linuxconf ?
Cheers, Sergio
-------------------------------------------------------------------------
Sergio Ballestrero PratoNeXt s.r.l.
System Manager Via Giotto 27 59100 Prato
sergio@pratonext.it Tel 604350 - Fax 604454
-------------------------------------------------------------------------
