[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV Lynx 2.6
From: |
Jim Spath (Webmaster Jim) |
Subject: |
Re: LYNX-DEV Lynx 2.6 |
Date: |
Mon, 19 May 1997 10:37:04 -0400 (EDT) |
On Mon, 19 May 1997, Bob Tanner wrote:
> >> My administrator has disabled lynx 2.6 and will not put any version
> >> of lynx on the system because he said all versions of lynx have a
> >> bug that will allow root access. Is this true? Thank you.
> >This sounds more severe than any vulnerability that we are aware of.
> >Please ask your administrator to post to address@hidden
> >describing what he considers to be the attack to which Lynx makes
> >him vulnerable.
> >Al Gilman
> I am the administrator that disabled lynx. Please see the folling URLs
> from the BUGTRAQ mailing list archive.
> http://www.geek-girl.com/bugtraq/1997_2/0174.html
> Won't you know it about 4 hours after I got this email I got hits on 3
> .rhosts files. Now, I could not verify if it was lynx doing it
> (hunders of users online makes the difficult) but I am a paranoid
> individual and disabled lynx. I am might be overly paranoid.
> As the/a author of the software can you validate/discredit my concerns?
> Nothing else was said on the BUGTRAQ list as of yet.
This issue (/tmp being world writable) has been discussed here recently.
No fix has yet been implemented, but here is a workaround:
In the global .profile for your Lynx users, do this:
LYNX_TEMP_SPACE=$HOME/.lynx ; export LYNX_TEMP_SPACE
Create the $HOME/.lynx directory for all users, owned by that user
and writable by them only.
------
<http://www.cs.indiana.edu/picons/db/users/us/md/lib/bcpl/jspath/face.xbm>
Marvin the Paranoid Android says:
Don't think for a moment that I enjoyed doing that because I didn't.
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;
- LYNX-DEV Lynx 2.6, Bob Tanner, 1997/05/19
- Re: LYNX-DEV Lynx 2.6,
Jim Spath (Webmaster Jim) <=