On Jan 3, 2008 6:08 PM, Mark <[EMAIL PROTECTED]> wrote: > > a): Clamav were to run as root (and consequently run > ..progname.day-of-month as root too), which is plain stupid.
There's lots of stupid people out there ;) > Also, where does the idea come from that a symlink will magically bring > the attacker root access? If .progname.day-of-month were a symlink, then > please, anyone, show me to what sort of file this symlink could point to > that would suddenly allow the attacker to gain root-access? It's not magic, but it's possible. Plenty of effective attacks, in the real world, have used this approach as part of a chain that results in gaining root access. > Also, on FreeBSD, we set /tmp +t, which means items in /tmp can be renamed > or deleted only by the item's owner. I think that's been standard on all unix type systems for a long time now. > In short, I fail to see what the fuss is all about. O_EXCL should have > been there, but it's a minor bug -- especially since the TS initially > failed to realize there was randomness, after all (though it could be > improved upon). I see no realistic possibilities for exploits. But I'm of > course open to hearing how someone thinks a realistic attack could be > mounted with it. A minor vulnerability here, a minor vulnerability there and pretty soon you're talking something bigger ;) As David said, attackers are creative - they're also often very persistent and highly skilled. At the end of the day there would be real money behind an exploit that could give any form of remote access to a host running ClamAV. -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html