Hi, what are the problems thas can result from setting scanimage and xscanimage SUID? bye Oliver __________________________________________________________________ Gesendet von Yahoo! Mail - http://mail.yahoo.de Yahoo! präsentiert als offizieller Sponsor das Fußball-Highlight des Jahres: - http://www.FIFAworldcup.com
Hi Oliver On Fri, Jun 28, 2002 at 03:52:33PM +0200, Oliver Block wrote:
what are the problems thas can result from setting scanimage and xscanimage SUID?
What about two possible local root xploits? As long as the code of (x)scanimage is tight there is nothing to feer ;-) .... but which code is tight? At the moment I'm not aware of any weekness. Greetings Daniel Lord
On Friday 28 June 2002 15:52, Oliver Block wrote:
Hi,
what are the problems thas can result from setting scanimage and xscanimage SUID?
Well, possibly overwriting any file, including system files. You can nicely stuff the scan output into /etc/shadow and the likes (I just confirmed the obvious with SuSE 7.0 and xscanimage suid root). You should not need to suid the frontend, the sane backend should take care of the permissions, including dropping privileges. The same caveats apply to most suid programs capable of writing files (like xmms, cdrecord et al.). It is never recommended to suid root such binaries on a multiuser system. On a home machine as a single user you can probably live with it.
bye
Oliver
Regards, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany
participants (3)
-
Daniel Lord -
Martin Leweling -
Oliver Block