Re: LYNX-DEV Lynx 2.6

[Jim Spath (Webmaster Jim)]

On Mon, 19 May 1997, Bob Tanner wrote:

> >>     My administrator has disabled lynx 2.6 and will not put any version
> >>  of lynx on the system because he said all versions of lynx have a
> >>  bug that will allow root access. Is this true? Thank you.
> >This sounds more severe than any vulnerability that we are aware of.
> >Please ask your administrator to post to address@hidden
> >describing what he considers to be the attack to which Lynx makes
> >him vulnerable.
> >Al Gilman
> I am the administrator that disabled lynx. Please see the folling URLs
> from the BUGTRAQ mailing list archive.
> http://www.geek-girl.com/bugtraq/1997_2/0174.html
> Won't you know it about 4 hours after I got this email I got hits on 3
> .rhosts files. Now, I could not verify if it was lynx doing it
> (hunders of users online makes the difficult) but I am a paranoid
> individual and disabled lynx. I am might be overly paranoid.
> As the/a author of the software can you validate/discredit my concerns? 
> Nothing else was said on the BUGTRAQ list as of yet.

This issue (/tmp being world writable) has been discussed here recently.
No fix has yet been implemented, but here is a workaround:

In the global .profile for your Lynx users, do this:

LYNX_TEMP_SPACE=$HOME/.lynx ; export LYNX_TEMP_SPACE

Create the $HOME/.lynx directory for all users, owned by that user
and writable by them only.


------
<http://www.cs.indiana.edu/picons/db/users/us/md/lib/bcpl/jspath/face.xbm>
Marvin the Paranoid Android says:
Don't think for a moment that I enjoyed doing that because I didn't.

;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;