[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: FALSE ALARM: Re: Another buggy root cron job
From:       Bruce Evans <bde () zeta ! org ! au>
Date:       1996-12-26 0:45:28
[Download RAW message or body]

>My face is very red.
>
>>From /etc/weekly:
>echo /usr/libexec/locate.updatedb | nice -5 su -m nobody 2>&1 |\
>        fgrep -v 'Permission denied'
>
>It's run as nobody.

Indeed.

There's a similar potential hole in mkdep.  This hole is a bit larger
than the one for the race in mktemp().  No one runs `make depend' or
compiles things as root on public machines, right? ;-)

Bruce

[prev in list] [next in list] [prev in thread] [next in thread]