LEE, Yui-wah (Clement) writes (Re: A question on setting setuid bit):
This is an experimental package that we built and
evaluate internally (up to this moment). The program
that needs setuid is a cgi-bin program that is invoked
by apache2, which runs as a regular user www-data. The
cgi-bin
Le vendredi 07 juillet 2006 à 23:54 +0200, Javier Fernández-Sanguino
Peña a écrit :
I can do the security risk analysis for you: granting remote root through a
web
server application is a recipe for disaster, those tactics where (or should
have been) abandoned ages ago.
Unfortunately webmin
LEE, Yui-wah (Clement) writes (Re: A question on setting setuid bit):
This is an experimental package that we built and
evaluate internally (up to this moment). The program
that needs setuid is a cgi-bin program that is invoked
by apache2, which runs as a regular user www-data. The
cgi-bin
LEE, Yui-wah (Clement) writes (A question on setting setuid bit):
I am building a package in which one of the binary has
to have the setuid and setgid bits set. I wonder which
one of the following two is the more appropriate method
to use?
Forgive my scepticism, but which package, and why
programs are risky but I haven't got the
time to address the security risk yet (one thing at a
time ... :-)
Thanks for the alert.
Clement
On Fri, 7 Jul 2006, Ian Jackson wrote:
LEE, Yui-wah (Clement) writes (A question on setting setuid bit):
I am building a package in which one of the binary has
On Fri, Jul 07, 2006 at 04:42:47PM -0400, LEE, Yui-wah (Clement) wrote:
Hi,
This is an experimental package that we built and
evaluate internally (up to this moment). The program
that needs setuid is a cgi-bin program that is invoked
by apache2, which runs as a regular user www-data. The
Hi,
Thanks for articulating the risk. We will address it
later. The machines involved are experimental
prototypes not production machines.
Clement
On Fri, 7 Jul 2006, Javier [iso-8859-1] Fern嫕dez-Sanguino Pe鎙 wrote:
On Fri, Jul 07, 2006 at 04:42:47PM -0400, LEE, Yui-wah (Clement) wrote:
Le jeudi 06 juillet 2006 à 07:36 +1000, Matthew Palmer a écrit :
[about suid bits]
My personal preference would be for the maintainer to just take a stand, set
it or not, and let people who actually know what's going on to use
dpkg-statoverride to fix the problem to their satisfaction. (This
On Thu, Jul 06, 2006 at 11:13:30AM +0200, Thibaut Paumard wrote:
In that case, does it make sense to prompt the admin once from the
postinst script with a message such as:
Warning: such file from such package installed with suid bit. If
this is unacceptable at your site, use dpkg-statoverride
Thibaut Paumard [EMAIL PROTECTED] wrote:
Le jeudi 06 juillet 2006 à 07:36 +1000, Matthew Palmer a écrit :
[about suid bits]
My personal preference would be for the maintainer to just take a stand, set
it or not, and let people who actually know what's going on to use
dpkg-statoverride to fix
Hi,
Thanks for all the responses. I finally settled with
the suggestion of Matt (install with right
permission, and then use dh_fixperms -X to exclude these
files's permissions from being reset to Debian's
default values).
Thanks!
Clement
On Wed, 5 Jul 2006, Matthew Palmer wrote:
The
On Thu, Jul 06, 2006 at 11:13:30AM +0200, Thibaut Paumard wrote:
Le jeudi 06 juillet 2006 à 07:36 +1000, Matthew Palmer a écrit :
[about suid bits]
My personal preference would be for the maintainer to just take a stand, set
it or not, and let people who actually know what's going on to use
Bartosz Fenski aka fEnIo skrev:
3. Use dpkg-statoverride in your postinst script.
Don't do this, just ship the file in the package with the correct
permissions. dpkg-statoverride is (mostly) an admin tool which lets you
change default permissions.
See
On Wed, Jul 05, 2006 at 07:34:02AM +0200, Bartosz Fenski aka fEnIo wrote:
On Tue, Jul 04, 2006 at 08:37:52PM -0400, LEE, Yui-wah (Clement) wrote:
I am building a package in which one of the binary has
to have the setuid and setgid bits set. I wonder which
one of the following two is the
On Wed, Jul 05, 2006 at 04:39:12PM +1000, Matthew Palmer wrote:
dpkg-statoverride is a tool for the system administrator to specify a
different mode or ownership for a file to that which is provided in the
package. It is not meant to be used by the package.
there are cases where it's
On Tue, Jul 04, 2006 at 08:37:52PM -0400, LEE, Yui-wah (Clement) wrote:
I am building a package in which one of the binary has
to have the setuid and setgid bits set. I wonder which
one of the following two is the more appropriate method
to use?
It looks like you've got the answer to this
* sean finney
| On Wed, Jul 05, 2006 at 04:39:12PM +1000, Matthew Palmer wrote:
| dpkg-statoverride is a tool for the system administrator to specify a
| different mode or ownership for a file to that which is provided in the
| package. It is not meant to be used by the package.
|
| there
On Wed, Jul 05, 2006 at 03:25:37PM +0200, Tollef Fog Heen wrote:
| On Wed, Jul 05, 2006 at 04:39:12PM +1000, Matthew Palmer wrote:
| dpkg-statoverride is a tool for the system administrator to specify a
| different mode or ownership for a file to that which is provided in the
| package. It
On Wed, Jul 05, 2006 at 04:02:43AM -0400, sean finney wrote:
On Wed, Jul 05, 2006 at 04:39:12PM +1000, Matthew Palmer wrote:
dpkg-statoverride is a tool for the system administrator to specify a
different mode or ownership for a file to that which is provided in the
package. It is not meant to
On Wed, Jul 05, 2006 at 09:36:37AM +0100, Steve Kemp wrote:
On Tue, Jul 04, 2006 at 08:37:52PM -0400, LEE, Yui-wah (Clement) wrote:
I am building a package in which one of the binary has
to have the setuid and setgid bits set. I wonder which
one of the following two is the more
Hi,
I am building a package in which one of the binary has
to have the setuid and setgid bits set. I wonder which
one of the following two is the more appropriate method
to use?
1. Use install -m 6755 file dir in the install
target of the Makefile.
However, I already tried this method
On Tue, Jul 04, 2006 at 08:37:52PM -0400, LEE, Yui-wah (Clement) wrote:
I am building a package in which one of the binary has
to have the setuid and setgid bits set. I wonder which
one of the following two is the more appropriate method
to use?
1. Use install -m 6755 file dir in the
22 matches
Mail list logo