Re: [Full-Disclosure] Partial Solution to SUID Problems
Date: Sun Dec 07 2003 - 09:54:38 CST
> > On a server that you have shell access, you probably really need to add
> > 'passwd' to the 'suid partitiion'. You may need some other things,
> > on some of our servers, I have 'ping' as well.
>
> it's not really necessary to have passwd setuid.
> you just can write a passwd server process and the passwd(8)
> just talks to this server via unix domain sockets.
...
Or you can use tcb, which is default in Owl, where the
shadowed password entries are not all in the same file, but
rather in user-specific subdirectories. passwd is sgid
to get access to the tcb dir, and the shadow entry is writable
by the user directly, and only contain's that user's entry.
More info at http://www.openwall.com/tcb/
-- Brian Hatch Thou shalt not pray Systems and to Zeus for things Security Engineer your usual god would http://www.ifokr.org/bri/ laugh at. Every message PGP signed
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- application/pgp-signature attachment: stored
This archive was generated by hypermail 2.1.8 : Sun Dec 07 2003 - 11:01:00 CST
