[15446] in bugtraq
Re: [Stan Bubrouski : Re: rh 6.2 - gid
daemon@ATHENA.MIT.EDU (Frank da Cruz)
Fri Jun 23 16:39:51 2000
Message-ID: <CMM.0.90.4.961773113.fdc@watsun.cc.columbia.edu>
Date: Fri, 23 Jun 2000 11:11:53 EDT
Reply-To: Frank da Cruz <fdc@COLUMBIA.EDU>
From: Frank da Cruz <fdc@COLUMBIA.EDU>
X-To: Stan Bubrouski <satan@FASTDIAL.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of Thu, 22 Jun 2000 20:36:42 EDT
> Ya know the sad thing is I pointed out these problems in
> bugzilla posts the gkermit being sgid uucp I reported
> two+ weeks ago. No response. My description of the
> gkermit bug which I reported couple weeks ago can be
> found here:
> http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11870
>
Hi all. I'm the author of gkermit, and this is the first
I've heard of any of this (your message was forwarded to
me by somebody who saw it on a mailing list). The author /
support contact address is listed in the usage message and the
man page; as a matter of courtesy, it should be included in
bug reports.
So who said gkermit should be installed suid or sgid? It
shouldn't. It does not need privileges for anything. The
documetantion says so:
The makefile creates a binary called "gkermit". Simply
move this binary to the desired directory, such as
/usr/local/bin. It needs no special permissions other than
read, write, and execute for the desired users and groups:
no setuid, no setgid, or any other form of privilege.
This is from:
http://www.columbia.edu/kermit/gkermit.html
> The C-Kermit package that comes on the Powertools CD with
> Red Hat 6.2 is installed sgid uucp as well and contains
> a plethera of unchecked buffers than can be used to run
> commands as gid uucp. Details can be found here:
> http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11723
>
This one is news too and, again, I'd appreciate receiving
reports like this. Of course I'll follow up on it. There
might be a couple unchecked buffers, but there is not a
plethora of them. A great deal of effort has gone into
pre-checking buffer copy operations, and if some places
were missed they can be fixed.
Frank da Cruz
The Kermit Project
Columbia University
612 West 115th Street
New York NY 10025-7799
USA
Email: fdc@columbia.edu
Web: http://www.columbia.edu/kermit/
