On Wed, 10 Jan 2001, Greg KH wrote: [..] > ----------------------------------------------------------------------- > Packages updated: shadow-utils > Effected products: Immunix OS 7.0-beta > Bugs Fixed: immunix/1319 > Date: January 10, 2000 > Advisory ID: IMNX-2000-70-027-01 > Author: Greg Kroah-Hartman <[EMAIL PROTECTED]> > ----------------------------------------------------------------------- > > Description: > In an internal audit conducted while preparing Immunix Linux 7.0 we > noticed a potential temp file race problem in the useradd program > within the shadowutils package. The useradd program creates its temp > files in the protected directory /etc/default, but if this directory > is changed to world writable, a problem could occur. Dislaymer: I'm current shadow maintainer. Sorry but I can't convince with classify this kind bad code as bug. Why ? Because if You have (for example) /etc/default world writable this is not a bug in (for example) shadow. Other side - if You make any other normaly non word writable directory (or file) You can find more this kind "bugs" all rest analyse in this point can be droped and also You can try prepare *much many* this kind "fixes" on source level and still You will can't defense system before simple atacks .. *before fixing permission*. By above I'm not even try defense this not correctly written fragment in useradd (which I'm fix in cvs tree few weeks ago). Simple I can't convice with this kind logick which tries classify this kind cases as bug or even potential bug simple because in correctly configured system and/or also even in system out of the box this can't be exploited (.. or I'm wrong and please fix me and/or show me real exploit code). Existance in system kind of bug which allow make /etc/default word writable makes system for attacker all what they want and all other talks about other "potential" bugs will be only empty logickal excercises. Yes, fixing this kind fragments must be element of auditing code but sill this isn't even potential bug because without bug outside this code this can't be exploited and this is also answer why shadow with fix for this was not officialy released ASAP. kloczek -- ----------------------------------------------------------- *Ludzie nie mają problemów, tylko sobie sami je stwarzają* ----------------------------------------------------------- Tomasz Kłoczko, sys adm @zie.pg.gda.pl|*e-mail: [EMAIL PROTECTED]*
