[15342] in bugtraq
Re: local root on linux 2.2.15
daemon@ATHENA.MIT.EDU (Jeff Dafoe)
Wed Jun 14 19:09:42 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Message-ID: <NDBBIOPEKLHMHCDKLPLPKEIFCPAA.jeffd@evcom.net>
Date: Wed, 14 Jun 2000 16:44:18 -0400
Reply-To: Jeff Dafoe <jeffd@EVCOM.NET>
From: Jeff Dafoe <jeffd@EVCOM.NET>
X-To: Wojciech Purczynski <wp@ELZABSOFT.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0006121451250.2163-100000@alfa.elzabsoft.pl>
> IMHO, all those setuid-root programs should be fixed if they ignore return
> values of system calls.
Quote from sendmail security team advisory:
=====
Note that checking the return value from setuid() is insufficient;
the setuid(getuid()) succeeds even when the process does not have
"appropriate privileges."
=====
Jeff Dafoe
System Administrator
Evolution Communications, Inc.
