bug-gnustep
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #29755] gdomap information disclosure vulnerabilities

From: Richard Frith-Macdonald
Subject: [bug #29755] gdomap information disclosure vulnerabilities
Date: Wed, 05 May 2010 09:54:07 +0000
User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Version/4.0.5 Safari/531.22.7 
Follow-up Comment #4, bug #29755 (project gnustep):

> In most typical GNUstep setups gdomap is no longer needed,
> so we may just need a bit more documentation for distributions
> about when to install it at all

That's like saying the spell server and sound daemons are not needed (because
few people use them), and therefore should not be installed by most
distributions.
When to install would be *always* ... otherwise networked distributed objects
are broken.

The issue is whether a distribution should install the program setuid ... and
of course it is (and always has been) recommended that it's started at system
boot time (in which case the setuid flag is not needed).

We should perhaps change our install script to install without the setuid
flag, forcing the distributors to do that themselves if they want it.

> Otherwise the dropping of the privileges sounds like the best option.

Unfortunately that's not an easy option since not all systems actually allow
you to restore privileges once dropped, and you need to be privileged to open
the port to work on.  I don't actually think that would improve security
significantly (or at all as long as access() works) now that the code uses
access() to check the files anyway.




    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?29755>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]