Alexander E. Patrakov wrote these words on 08/16/07 08:59 CST: > One more thing. It installs /usr/bin/screen -> screen-[version] symlink, > and the setuid binary is really /usr/bin/screen-[version]. Now let's > suppose that a root hole is found in screen, a new version of screen is > released, and a user updates his screen by following BLFS instructions. > See the bug? the old buggy setuid binary /usr/bin/screen-[oldversion] is > still there, ready for exploitation.
This would be an after-the-fact, way, way post-installation sysadmin task. Many of the binaries installed do the same thing, Gimp, AbiWord, Gnumeric, and others. I don't really want to get into tasks that have to do with previous installations of packages. > The book should deal with this > somehow, e.g., by disabling this stupid symlink. Why? To the vast majority of people it would be an inconvenience. Those that have truly critical needs (production use) will take care of it themselves without being told. Or at least that's what I'd hope. Your points are valid, Alexander, I'm just not sure it is something that BLFS wants to get into (sysadmin and modifying well-known defaults). -- Randy rmlscsi: [bogomips 1003.22] [GNU ld version 2.16.1] [gcc (GCC) 4.0.3] [GNU C Library stable release version 2.3.6] [Linux 2.6.14.3 i686] 09:09:00 up 8:14, 1 user, load average: 0.15, 0.26, 0.16 -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
