|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Valdis Kletnieks (Valdis.Kletnieks
VT.EDU)Date: Sun Feb 04 2001 - 23:12:31 CST
On Sun, 04 Feb 2001 01:48:34 +0100, Robert van der Meulen <rvdmCISTRON.NL> said:
> Just for the record:
> on a lot of systems (including Debian), 'man' is not suid/sgid anything, and
> this doesn't impose a security problem.
Although it may not apply to *this* *particular* issue, let's all not
forget that just because something is not suid/sgid it's not a security
issue. I'm sure that both 'man' and 'm4' get run a *lot* as root, and
have we forgotten the .sy nroff command and trojan manpages? ;)
It will be a security problem as soon as somebody finds a way to get
root to run 'man -l %n' or 'm4 -G %n'.... ;)
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]