I have not yet found any uses for utmp/wtmp: maybe Joey is right and there
is no security issue. I would then suggest that to increase security,
setuid/setgid bits be removed from all utmp/wmtp maintainers.
In the meantime, I hope that conscientious sysadmins do look at who and
last output occasio
Loïc Minier wrote:
> Hi,
>
> On Fri, Oct 07, 2005, Martin Schulze wrote:
> > severity 329156 normal
> > thanks dude
>
> You didn't Cc: control, I've bounced it to control.
I usually use Bcc for that, so that group replies don't annoy
our control dude. :)
> > Ok, so unless somebody prov
Hi,
On Fri, Oct 07, 2005, Martin Schulze wrote:
> severity 329156 normal
> thanks dude
You didn't Cc: control, I've bounced it to control.
> Ok, so unless somebody proves us wrong we don't consider this a
> security problem.
Is something to be done for the allocated CVE id?
Cheers
severity 329156 normal
thanks dude
Loïc Minier wrote:
> Hi,
>
> On Fri, Oct 07, 2005, Martin Schulze wrote:
> > Could somebody explain the security implication for me?
>
> You can record in the utmp/wtmp logs something which is wrong, for
> example that an user is currently connected t
Joey,
> Could somebody explain the security implication for me?
>
> being able to write arbitrary strings into valid records without
> overwriting any other data in utmp/wtmp can hardly be classified
> as a security vulnerability.
It depends on what trust you place in the correctness of utmp/wtmp
Hi,
On Fri, Oct 07, 2005, Martin Schulze wrote:
> Could somebody explain the security implication for me?
You can record in the utmp/wtmp logs something which is wrong, for
example that an user is currently connected to a display while he
isn't. I'm not the one to argue with though.
Could somebody explain the security implication for me?
being able to write arbitrary strings into valid records without
overwriting any other data in utmp/wtmp can hardly be classified
as a security vulnerability.
(Apart from that, I'm only slightly annoyed as I had to learn about
this via MITRE
7 matches
Mail list logo
