Re: Verity/Search'97 Security Problems

To: BUGTRAQ@xxxxxxxxxxxx
Subject: Re: Verity/Search'97 Security Problems
From: Jay Soffian <jay@xxxxxxxxxxx>
Date: Thu, 16 Jul 1998 17:28:47 -0400
Approved-by: aleph1@DFW.NET
In-reply-to: Your message of Thu, 16 Jul 1998 17:18:34 -0400.
Reply-to: Jay Soffian <jay@xxxxxxxxxxx>
Sender: Bugtraq List <BUGTRAQ@xxxxxxxxxxxx>

+--Jay Soffian <jay@xxxxxxxxxxxxxxxxxxxx> once said:
|
|
|Obviously, you want to either make verity_path_post something less
|obvious than ".orig" or you want to suid the wrapper to some
|unprivledged user and make the ".orig" file executable by only that
|user.
|
|Duh.

Last message, I promise. My brain isn't working today. suid (or sgid)
is a terrible idea. Using something other than '.orig' works, but
that's security by obscurity. Probably, you are best using a <files>
section (or equiv if not Apache) to protect the '.orig' binaries.

j.
--
Jay Soffian <jay@xxxxxxxxxxx>                       UNIX Systems Administrator
404.572.1941                                             Cox Interactive Media

Prev by Date: S.A.F.E.R. Security Bulletin 980708.DOS.1.1
Next by Date: EMERGENCY: new remote root exploit in UW imapd
Previous by thread: Re: Verity/Search'97 Security Problems
Next by thread: Re: Verity/Search'97 Security Problems
Index(es):
- Date
- Thread