[asterisk-dev] AST-2007-024 - Fallacious security advisory spread on the Internet involving buffer overflow in Zaptel's sethdlc application
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Fri Nov 9 06:03:55 CST 2007
On Fri, Nov 09, 2007 at 12:20:29PM +0100, Vadim Lebedev wrote:
>
> If this sethdlc program is installed as setuid root for some reason it,
> DOES represent security risk
Why would you install sethdlc setuid root? It was not designed
paranoidly for that. And also if you need to allow a non-root to run
sethdlc(-new) you'll also need the same user to run ifconfig on the
newely-generated network interface.
Hence chances are you'll need to use sudo in such a scenario, with your
own script. And won't allow the user to just pass an arbitrary interface
name.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-dev
mailing list