Dependency reciprocity : real world problem with httpd and httpd-suexec

Steve G linux_4ever at yahoo.com
Tue Sep 7 23:47:35 UTC 2004


>>If you download a package from a 3rd party that has buffer overflows and 
>>is setgid, you now have a buggy program with buffer overflows running as root.
>
>Not sure about that - it should certainly not set the setuid bit

You don't need the setuid bit of root to start with. The setgid bit of root is
just enough wiggle room on most systems to compromise the whole thing in a few
steps.

-Steve Grubb

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 





More information about the fedora-devel-list mailing list