Thierry Vignaud wrote:
Henri <[EMAIL PROTECTED]> writes:
sorry, i don't have any idea of the time needed to audit something
like drakconf...
there's not so many points where we exec some process or write some
files in drakconf, so this one is easy.
but when you talk about drakconf, i susp
Henri <[EMAIL PROTECTED]> writes:
> sorry, i don't have any idea of the time needed to audit something
> like drakconf...
there's not so many points where we exec some process or write some
files in drakconf, so this one is easy.
but when you talk about drakconf, i suspect you really want to say
On Fri, 14 Mar 2003, Henri wrote:
> Not every sofware : i was only asking about specific mandrake tools and
> "critical" ones : i think about verifying a last time, just before
> releasing, that permissions on tools installed in /sbin/ and /usr/sbin
> are correct, for example...
FYI, rpmlint d
Vincent Danen wrote:
On Thu Mar 13, 2003 at 08:26:23PM +0100, Henri wrote:
OpenSource is said to be more secure : a question has come to my mind :
before releasing the 9.1, will there be a security audit on critical
apps, on drakconf tools ecc. or not ? Perhaps this would avoid big holes
li
Levi Ramsey wrote:
On Fri Mar 14 13:45 -0500, scott chevalley wrote:
or, even more simply, resetting the bios, either by removing the cmos
battery, or in some computers there is a cmos clear pin header. short
the pins and it clears cmos, including passwords
That wouldn't disable the
On Fri Mar 14 13:45 -0500, scott chevalley wrote:
> or, even more simply, resetting the bios, either by removing the cmos
> battery, or in some computers there is a cmos clear pin header. short
> the pins and it clears cmos, including passwords
That wouldn't disable the LILO password, thoug
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jason Straight wrote:
> On Friday 14 March 2003 11:11 am, Levi Ramsey wrote:
>
>>If someone has physical access to the computer they can pass their own
>>parameters to the kernel, including init=/bin/bash, whcih, bada bing
>>bada boom, gives them insta
On Fri, 2003-03-14 at 17:07, Vincent Danen wrote:
> On Fri Mar 14, 2003 at 03:11:24PM +, Adam Williamson wrote:
>
> > Not entirely. You also have to lock your case shut somehow to stop
> > someone opening it up and flicking the BIOS reset...
> >
> > Anyway, in regards to the original bug, thi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Friday 14 March 2003 17:59, Levi Ramsey wrote:
> On Fri Mar 14 11:52 -0500, Jason Straight wrote:
> > On Friday 14 March 2003 11:11 am, Levi Ramsey wrote:
> > > If someone has physical access to the computer they can pass their own
> > > parameters
Levi Ramsey wrote:
On Fri Mar 14 11:52 -0500, Jason Straight wrote:
On Friday 14 March 2003 11:11 am, Levi Ramsey wrote:
If someone has physical access to the computer they can pass their own
parameters to the kernel, including init=/bin/bash, whcih, bada bing
bada boom, gives them instant
On Fri Mar 14, 2003 at 03:11:24PM +, Adam Williamson wrote:
> Not entirely. You also have to lock your case shut somehow to stop
> someone opening it up and flicking the BIOS reset...
>
> Anyway, in regards to the original bug, this isn't purely a local
> exploit, surely? Doesn't it also appl
On Fri Mar 14 11:52 -0500, Jason Straight wrote:
> On Friday 14 March 2003 11:11 am, Levi Ramsey wrote:
> > If someone has physical access to the computer they can pass their own
> > parameters to the kernel, including init=/bin/bash, whcih, bada bing
> > bada boom, gives them instant root.
>
> ma
On Friday 14 March 2003 11:11 am, Levi Ramsey wrote:
> If someone has physical access to the computer they can pass their own
> parameters to the kernel, including init=/bin/bash, whcih, bada bing
> bada boom, gives them instant root.
man lilo - you can restrict it from allowing cmdline, or even b
On Friday 14 March 2003 09:56 am, scott chevalley wrote:
> perhaps not by default, but if you type
> linux single init=/bin/sh
>
> at a lilo prompt (or grub, but it would look different), you can bypass
> any security on the system except for encrypted filesystem security, as
> far as I'm aware. B
On Fri Mar 14 9:23 -0500, jokerman64 wrote:
> I disagree, i don't think that if you go into single user mode that you should
> be root. You should still have to log in. The argument that someone has
> physical access to your computer thus making it your problem and not an
> exploit is IMHO fall
Adam Williamson <[EMAIL PROTECTED]> writes:
> Anyway, in regards to the original bug, this isn't purely a local
> exploit, surely? Doesn't it also apply to someone ssh'ing in from a
> remote site? i.e., I could give a simple user account to someone in
> Australia, thinking it's safe, and they coul
On Friday 14 March 2003 10:11 am, Adam Williamson wrote:
> Not entirely. You also have to lock your case shut somehow to stop
> someone opening it up and flicking the BIOS reset...
>
> Anyway, in regards to the original bug, this isn't purely a local
> exploit, surely? Doesn't it also apply to some
On Fri, 2003-03-14 at 14:39, Jason Straight wrote:
> > I disagree, i don't think that if you go into single user mode that you
> > should be root. You should still have to log in. The argument that someone
> > has physical access to your computer thus making it your problem and not an
> > exploit
jokerman64 wrote:
On Friday 14 March 2003 6:58 am, Han Boetes wrote:
Chmouel Boudjnah <[EMAIL PROTECTED]> wrote:
Han Boetes <[EMAIL PROTECTED]> wrote:
That's a local exploit. I can think of a few other local
``exploits'' as well, like booting in single user mode.
this
On Friday 14 March 2003 06:45 am, Guillaume Cottenceau wrote:
> Henri <[EMAIL PROTECTED]> writes:
> > on critical apps, on drakconf tools ecc. or not ? Perhaps this
> > would avoid big holes like the shutdown one, no ?
>
> The shutdown problem is not a big hole. It grants local root
> access only f
Henri <[EMAIL PROTECTED]> writes:
> on critical apps, on drakconf tools ecc. or not ? Perhaps this
> would avoid big holes like the shutdown one, no ?
The shutdown problem is not a big hole. It grants local root
access only for people with a login on the "physical" machine
(console login). Securi
Henri <[EMAIL PROTECTED]> writes:
> That was a simple suggestion, it seemed important to me, that's
> all. Is security concerning only security experts ? I don't
> think so. Where is the problem to be a customer asking questions
> about security yo the expert precisly ?! If you can justify the
>
On Friday 14 March 2003 09:23 am, jokerman64 wrote:
> On Friday 14 March 2003 6:58 am, Han Boetes wrote:
> > Chmouel Boudjnah <[EMAIL PROTECTED]> wrote:
> > > Han Boetes <[EMAIL PROTECTED]> wrote:
> > > > That's a local exploit. I can think of a few other local
> > > > ``exploits'' as well, like bo
On Friday 14 March 2003 6:58 am, Han Boetes wrote:
> Chmouel Boudjnah <[EMAIL PROTECTED]> wrote:
> > Han Boetes <[EMAIL PROTECTED]> wrote:
> > > That's a local exploit. I can think of a few other local
> > > ``exploits'' as well, like booting in single user mode.
> >
> > this is not a exploit
Chmouel Boudjnah <[EMAIL PROTECTED]> wrote:
> Han Boetes <[EMAIL PROTECTED]> wrote:
>
> > That's a local exploit. I can think of a few other local
> > ``exploits'' as well, like booting in single user mode.
>
> this is not a exploit if you can _boot_ in single user mode it's
> mean you have ac
Han Boetes <[EMAIL PROTECTED]> writes:
> That's a local exploit. I can think of a few other local ``exploits'' as
> well, like booting in single user mode.
this is not a exploit if you can _boot_ in single user mode it's
mean you have acess to the hardware and if you have access we cannot
do
Han Boetes a écrit:
Henri <[EMAIL PROTECTED]> wrote:
OpenSource is said to be more secure : a question has come to my mind
: before releasing the 9.1, will there be a security audit on critical
apps, on drakconf tools ecc. or not ?
These tools only run with root permissions. Mot much to h
Henri <[EMAIL PROTECTED]> wrote:
> OpenSource is said to be more secure : a question has come to my mind
> : before releasing the 9.1, will there be a security audit on critical
> apps, on drakconf tools ecc. or not ?
These tools only run with root permissions. Mot much to hack anymore
once you g
On Thu Mar 13, 2003 at 08:26:23PM +0100, Henri wrote:
> OpenSource is said to be more secure : a question has come to my mind :
> before releasing the 9.1, will there be a security audit on critical
> apps, on drakconf tools ecc. or not ? Perhaps this would avoid big holes
> like the shutdown o
Hi,
OpenSource is said to be more secure : a question has come to my mind :
before releasing the 9.1, will there be a security audit on critical
apps, on drakconf tools ecc. or not ? Perhaps this would avoid big holes
like the shutdown one, no ?
30 matches
Mail list logo