[9820] in bugtraq
Re: Linux /usr/bin/gnuplot overflow
daemon@ATHENA.MIT.EDU (Andrea Arcangeli)
Fri Mar 5 14:39:59 1999
Date: Fri, 5 Mar 1999 20:03:39 +0100
Reply-To: Andrea Arcangeli <andrea@E-MIND.COM>
From: Andrea Arcangeli <andrea@E-MIND.COM>
X-To: Hans-Bernhard Broeker <broeker@PHYSIK.RWTH-AACHEN.DE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.93.990305141357.29986C-100000@acp3bf>
On Fri, 5 Mar 1999, Hans-Bernhard Broeker wrote:
>I strongly second this recommendment. I'll mail S.u.S.E. about it, if
>no-one else does (but then, they're bound to have someone reading bugtraq,
>right?).
If you use SuSE and you care a _lot_ about local security you must edit
/etc/rc.config and set PERMISSION_SECURITY="paranoid". That way gnuplot
would _not_ be suidroot. See the contents of /etc/permissions.paranoid:
root@laser:/home/andrea# grep gnuplot /etc/permissions.paranoid
# WHY ON HELL was gnuplot suid root !!!!!
/usr/bin/gnuplot root.root 755
Using PERMISSION_SECURITY="secure" was just installing tvscreen _not_
suidroot.
Using PERMISSION_SECURITY="easy" (and note: you are asked to set "easy"
instead of "secure") is very riskious in a envinronment that has to be
secured, but you asked for that so don't complain (e.g. about xtvscreen).
I just tried once to fix the disinformation on the list about SuSE
xtvscreen suidroot but Aleph One didn't accepted my email. I don't know
why Aleph One didn't accepted my first email. Aleph?
Andrea Arcangeli
