Permissions on "fp/lib/config" [was: Re: Security Issues with filePro]

Jay R. Ashworth jra at baylink.com
Wed May 26 10:31:13 PDT 2004


On Fri, Nov 28, 2003 at 10:12:09PM -0500, Kenneth Brody wrote:
> Quoting Bob Stockler <bob at trebor.iglou.com>:
> [...]
> > Maybe I could figure it out on a non-holiday-weekend when the wine
> > was not flowing so freely, but give me a quick fix to:
> >
> >   Why is runmenu not SUID "filepro" as other filePro programs are?
> >                  ^^^
> [...]
> 
> Since you can have menus that run anything, including non-filePro things,
> why should those non-filePro things run as setuid filepro?

They shouldn't.  runmenu should fork, *drop* setuser, and then exec.

Cheers,
-- jra
-- 
Jay R. Ashworth                                                jra at baylink.com
Member of the Technical Staff     Baylink                             RFC 2100
The Suncoast Freenet         The Things I Think
Tampa Bay, Florida        http://baylink.pitas.com             +1 727 647 1274

        Come see Linux Gazette in our new home: www.linuxgazette.net!


More information about the Filepro-list mailing list