[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: [cobalt-security] Local Root exploit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Michel

| Geeee ... no, I exclusively post only half cooked and untested ideas to
| mailing lists. ;o)
funny? ;)

| Seriously: I tested it the usual way: "chmod 755
/usr/lib/authenticate" the
| first minute I saw the report on bugtraq. I then tested the admin
interface
| and a htaccess protected web folder on that server and they still worked
| fine.
Ok, but did you check chmod 755 did really fix the setuid bit? try on
chmod 0755

| I then implemented the fix on all my RaQs and even though some of the
boxes
| host up to 75 domains of various cusomers there have been no complains
yet -
| in two or three weeks? Around that figure.
I almost did so, but at the 5th one I fixed, I had the feedback that
everything goes wrong.

| So for all *my* usualy purpose and that of my webhosting customers
nothing is
| broken. As said: Nobody around here uses Frontpage and if they did
then I'd
| say: "Not my problem - this ain't a Mickeysoft server!"
|
| Anyway, what's the problem? You can always go back by setting the SUID
bid on
| /usr/lib/authenticate if the fix doesn't work for you <shrug>.
So as someone said on this list, admserv runs under 0 uid so not having
suid bit doesn't matter.
That's why admserv authentication still work.

Now if it works for normal sites also, it means your shadow password
file is world readable...
Do you prefer world readable shadow file or suid bit on authenticate? :o)

So the problem I mentioned is still there.

Will Sun care?

- --
Rene Luria <operator@xxxxxxxxxxxxx>
Unix Administrator - Infomaniak Network SA
PGP key DFE5C340 at keyserver.pgp.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE9jwdvJ1jvMN/lw0ARAtF+AJ99cgwEvEANdQgICtfhsMdn+lrgrgCfV0As
Z4jZYnh4QR0HH1TJmDxNzOU=
=zVTs
-----END PGP SIGNATURE-----