Re: Announcement re suid'd cdrecord

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2004-09-10 at 10:38 +0100, Paul Howarth wrote:
> > There was an announcement yesterday about updating cdrecord if it has
> > been manually suid'd. The link didn't give me any further information
> > but does that mean if it's not been suid'd then do not update it.

If it is on your system then it would be wise to update.

> This is a wild guess having not looked at the code, but I suspect that the 
> updated cdrecord will refuse to run if it has been installed setuid root 
> because, as the update announcement noted, that would be a very stupid thing 
> to do.

There's a CVE number attached to the announcement.  That means there is
some sort of security problem.  (And the announcement subject states
SECURITY.)  Anyone who sets the vulnerable version of cdrecord suid root
could allow a malicious user to gain root privileges.

Many programs that have security flaws and are suid root can be used to
compromise the security of the entire system.  Thinking toward future
security flaws one can conclude that it is unwise to allow everyone run
anything with unrestricted root privileges.  The only programs which
deserve to be suid root are simple programs (such as console-helper)
which hopefully have had thorough security reviews.

Also, ponder this: cdrecord will allow the user to write data to files,
disks, etc.  If cdrecord is suid root then any malicious (or stupid)
user could easily destroy system files or entire storage devices.  Any
program that has the ability to write to files should never be suid
root.

-- 
 David Norris
  http://www.webaugur.com/dave/
  ICQ - 412039

Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux