[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    Re: kdeadmin/kuser
From:       Denis Pershin <dyp () inetlab ! com>
Date:       1999-07-12 11:07:48
[Download RAW message or body]

>> Rrrrrhhhhhhhhhhhhh....
>> Please do not do modifications in the core if you are not sure!!!!!!!
>> There was a large error in glibc in getpwent!!!!! All passwords were squashed
>> away...
>
>1) If glibc is broken, fix glibc, don't break kuser.

I hope that you know that kuser is a program usually run from root..
And that if someone will run it on broken glibc he will lost all his passwords
and system will became open for anyone... Are you sure that you are so good to
make such design in the favor of clear code??? I am not sure. Absolutely not
sure. If you want to look at examples look at kuser history bugs... There were
lots of systems affected.

>2) This was okay according to your mail:
>>> So add a test for fgetpwent and fgetgrent and default to getpwent if they
>>> do not exists? No?
>> No problems. I will do this.
>
>The only problem was that you never did. Feel free to replace it with some
>nicer code.

I am sorry, but your mail was from Jul 7... And you waited 5 days... I am
sorry, but as far as you know I do this in my spare time... And do you think
that this ok to break a code only if you will be happy???

I am sorry for such words but you solved the problem for you opening BIG
security hole for others. Not a good idea.

-- 
Sincerely Yours,
Denis Y. Pershin

----------------------------------
E-Mail: dyp@inetlab.com
HomePage: http://www.software.ru/dyp/
FidoNet: 2:5000/120.5
----------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]