OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: TESO & C-Skills development advisory -- imwheel
From: WHiTe VaMPiRe (whitevampireMINDLESS.COM)
Date: Sun Mar 19 2000 - 10:31:56 CST

On Thu, Mar 16, 2000 at 02:38:47PM +0100, Sebastian(krahmerCS.UNI-POTSDAM.DE) wrote:
: TESO Security Advisory
: 2000/03/13
:
: imwheel local root compromise

        The Slackware package available from Linuxmafia.org
(http://linuxmafia.org/pcentral/search_view.php3?name=imwheel) is not
effected by this, as it does not package with the SUID wrapper. (The
binary included is also not set SUID.) This is with version 0.9.6 of
imwheel.

        A SUID wrapper should simply not be necessary in the first
place.

        As far as I can tell the standard package of imwheel 0.9.7 does
not have a wrapper. However, during 'installation,' it will prompt you
asking whether or not to install SUID.

An excerpt from the Makefile:

        ## Setting UID, this is best for non-root usage!
        ## This does not effect usage for root users. (duh!)
        ## This gives all users kill privileges for other imwheel processes.

        Judging from that, if you setup imwheel to be started via the
users' xinit scripts, and killed upon logout, it would have the same
function.

        To reiterate, SUID is just a quick cop-out for a better
setup. If it is a one-user desktop machine, even less than that would
have to be done.

Regards, 

-- 
    __      ______   ____
   /  \    /  \   \ /   / WHiTe VaMPiRe\Rem
   \   \/\/   /\   Y   /  whitevampiremindless.com
    \        /  \     /   http://www.projectgamma.com/
     \__/\  /    \___/    http://www.gammaforce.org/
          \/ "Silly hacker, root is for administrators."
  • application/pgp-signature attachment: stored