Security advisory for removing setuid programs.

Bill's LFS Login lfsbill at nospam.dot
Tue Nov 25 10:03:44 PST 2003


On Tue, 25 Nov 2003, Archaic wrote:

> On Tue, Nov 25, 2003 at 09:17:49PM +0500, Alexander E. Patrakov wrote:
> > On Tuesday 25 November 2003 15:22, ashes wrote:
> > > This is from recent kernel and coreutils mailing lists.
> >
> > No, this is the correct answer to the contest conducted by Brian Hatch:
>
> It's also from full disclosure and bugtraq. He may very well have gotten
> it from any number of lists.
>
> > I sent my reply at Fri, 14 Nov 2003 20:52:00 +0500 with exactly the same
> > scenario.
>
> Which, if that's the answer, shows how important it is to go beyond what
> a distro installs (including LFS, BLFS) and to learn security practices
> (like moving /home to another partition), not just keeping packages up
> to date.
>
> CC'ing to lfs-security as it seems to be beyond the scope of the book.
> (Which make me wonder if there would be any support for creating an SLFS
> book that went through and systematically hardened an LFS/BLFS system
> step-by-step.)

Well, there's (n)ALFS which conflicts with the *basic* edu premise of
the LFS project, and hardening the system would not do that, so it seems
to be a pretty good suggestion to me. With more and more "always on"
users, should be pretty useful.

-- 
Bill Maltby
lfsbillATwlmcsDOTcom
Fix line above & use it to mail me direct.



More information about the lfs-security mailing list