[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netatalk-devel
Subject:    Re: [Netatalk-devel] Can't give 'em away (help!)
From:       a sun <asun () cobalt ! com>
Date:       2000-08-14 22:33:09
[Download RAW message or body]

   Although I've written several kludges that do this on and off, wouldn't
   you consider it a security hole to setuid to root for a product with
   wide distribution like this? I think it's WORTH it, but don't know how
   many other people would share my opinion.

well, there are other programs do something similar. you just need to
make sure that you're really paranoid. in most cases, you're not
running as root, so you don't have that vulnerability. in addition,
afpd doesn't exec outside scripts, so its vulnerabilities stem from
things like buffer overflows. i think i've done a pretty good job of
plugging in those types of holes, but afpd could always stand to go
through a security audit.

oh yeah, one of the reasons why i wanted to wait until the transition
to appledouble v2 was because AFP permissions are sufficiently
different from unix ones to necessitate extra bits. there is some
unused space in the v2 header that can be used for just that
purpose. all it does is change how permission inheritance should work,
so it should be okay.

-a

[prev in list] [next in list] [prev in thread] [next in thread]