[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)
From: |
Jason Baker |
Subject: |
Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd) |
Date: |
Tue, 24 Jun 1997 13:19:33 -0700 |
On %M %N, Robert Bonomi wrote:
>
> Being able to read/copy files is =not= really an issue. Postulating any
> sort of effective _system_ management, LYNX is either running _as_the_user_
> who invoked it; or in the case where it's being used as a 'public access'
> browser/viewer it is running as _it's_own_ userid. In _either_ case, the
> *system* access-controls are still in effect, and unless LYNX is running
> with an effective userid of _root_, cannot access any 'sensitive' files.
> Note: '/etc/passwd' is *not* a 'sensitive' file, on a properly managed
> system. Everybody *should* be running 'shadow passwords' at this point,
> whereupon the readability of /etc/passwd is not a "significant" issue.
Fair enough, but a bit dangerous, too - DG/UX only just now has FINALLY
got shadow passwords, as of 5.4R4.11MU03 (MU = maintenance update, kinda
like a patchlevel).
I know for a fact there's tons of systems out there running 5.4R3.10.
Since Lynx shouldn't be able to do this, it's a bit unfair to blame the
OS for the lack of a feature to counteract what Lynx is letting the
users get away with. :)
Of course, I tend to consider any system with a guest account a system
with a big "start hacking here" sign, but sometimes it's needed.
Jason
--
address@hidden | PGP key available
Systems Administrator, Information Systems | from MIT keyserver.
BC Family Maintenance Enforcement Program | KeyID: 6DA770E9
To err is human; to really bugger things up requires the root password.
pgpJjfZ4oMUHd.pgp
Description: PGP signature
- LYNX-DEV SSLeay update (don't use 0.8.0 just yet, unless...), (continued)
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Scott McGee (Personal), 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Robert Bonomi, 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Scott McGee (Personal), 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Foteos Macrides, 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Robert Bonomi, 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), H E Nelson, 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Jan Hlavacek, 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), H E Nelson, 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Foteos Macrides, 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Alex Lyons A32/373-Winfrith Tel2368 FAX2508, 1997/06/25