randy at linuxfromscratch.org
Thu Aug 16 07:16:59 PDT 2007
Alexander E. Patrakov wrote these words on 08/16/07 08:59 CST:
> One more thing. It installs /usr/bin/screen -> screen-[version] symlink,
> and the setuid binary is really /usr/bin/screen-[version]. Now let's
> suppose that a root hole is found in screen, a new version of screen is
> released, and a user updates his screen by following BLFS instructions.
> See the bug? the old buggy setuid binary /usr/bin/screen-[oldversion] is
> still there, ready for exploitation.
This would be an after-the-fact, way, way post-installation sysadmin
task. Many of the binaries installed do the same thing, Gimp, AbiWord,
Gnumeric, and others. I don't really want to get into tasks that have
to do with previous installations of packages.
> The book should deal with this
> somehow, e.g., by disabling this stupid symlink.
Why? To the vast majority of people it would be an inconvenience.
Those that have truly critical needs (production use) will take care
of it themselves without being told. Or at least that's what I'd
Your points are valid, Alexander, I'm just not sure it is something
that BLFS wants to get into (sysadmin and modifying well-known
rmlscsi: [bogomips 1003.22] [GNU ld version 2.16.1] [gcc (GCC) 4.0.3]
[GNU C Library stable release version 2.3.6] [Linux 18.104.22.168 i686]
09:09:00 up 8:14, 1 user, load average: 0.15, 0.26, 0.16
More information about the blfs-dev