[DGD]Default Wiztool not loaded ?
Stephen Schmidt
schmidsj at union.edu
Mon Feb 19 17:27:34 CET 2001
On Mon, 19 Feb 2001, Felix A. Croes wrote:
> I just checked, and it appears to be fairly simple to break Melville's
> security.
I have never claimed otherwise :) Melville's security has
never been extensively tested, for precisely the reason
that Dworkin notes below: it's not a trivial task. That
said, I will always fix security bugs when reported.
> - The function set_creator() is not nomask.
That's a bug.
> - The creator of any object can be reset to "Driver" from a callout.
That's clearly not the Right Thing, but I don't think anything
terribly bad would happen as a result, as "Driver" has no
privileges. The worst that can happen, I think, is that
a user loses privileges that it would have if it had the
user's name as its creator.
> - valid_read() does not first resolve the path it checks.
> - valid_write() only resolves the path it checks if called from
> a function called "log_file".
Also bugs.
> All this from checking /system/auto/security.c -- I'm sure there is
> more, but at this point I can already arbitrarily rewrite LPC source
> files :-)
I'm sure there are too ;) As noted, any bugs found will
be fixed. If enough mount up (and Dworkin's list is probably
enough in itself) a new release will go out.
Steve
List config page: http://list.imaginary.com/mailman/listinfo/dgd
More information about the DGD
mailing list