On Tue, Jun 25, 2002 at 06:07:43PM +0100, Paul Kelly wrote:
> The annoying thing is Theo says he fixed the bug "in 3 minutes". So the
> patch exists right now. It's not complex. It's not tied to a particular
> OS. But still, at the hour of the announce, the only distribution with
> binary updates will be OpenBSD.
The patch exists no doubt, and it isnt being distributed exactly because
it would reveal the nature of the bug. Wether that's prudent or not,
we'll no next week. As to OpenBSD, we still don't know if it's even
exploitable on OpenBSD.
> On other platforms I would be VERY cautious about moving to PrivSec at
> this point, especially since there's at least one claim of a root
> exploit in the new OpenSSH 3.3.1p code. Now I don't know if that bloke's
> taking the piss or not, but I know I'd rather not risk it. There are
> enough minor Known Bugs in PrivSec that there's good reason to suspect
> at least one doozie is hiding in there.
The curious thing is that is the move to PrivSep is not neccessary.
From reading the notice, it says that the problem isnt exploitable
(though is possibly present) while using PrivSep, and that's great,
I can see it being a good argument for using Privilege Seperation
as an interim solution until the fix is available. I'll buy that,
But how does this extend into the impending urgency in getting vendors
to make PrivSep work fully on their platform ? If Theo is waiting on
this before the release of the fix ... it would indicate that using
Privelege Seperation is an implimentation neccessity of the fix. This
makes no sense.
The problem should be fixable regardless and it should fix it regardless
of wether you have privilege seperation on or off. Otherwise it isnt
a solution. But as we know already , the patch is available, and it
really does seem, as others here have suggested that it's a case of using
this opportunity to implement a policy decision. Seems to be case of
"I told you privelege seperation would be a good idea, look, this
wouldnt have been a problem if you had used it like I told you to.
That's it, I'm telling your Ma".
Nowhere does the document suggest that privelege seperation is a
neccessity of the solution, just that it's a very good idea, and if
your vendor had it working for you, this wouldnt even be a problem.
colmmacc at redbrick.dcu.ie PubKey: colmmacc+pgp at redbrick.dcu.ie
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!