[asterisk-dev] AST-2007-024 - Fallacious security advisory spread on the Internet involving buffer overflow in Zaptel's sethdlc application

Tzafrir Cohen tzafrir.cohen at xorcom.com
Fri Nov 9 06:03:55 CST 2007

On Fri, Nov 09, 2007 at 12:20:29PM +0100, Vadim Lebedev wrote:

> If this sethdlc program is installed as setuid root for some  reason it,
> DOES represent security risk

Why would you install sethdlc setuid root? It was not designed
paranoidly for that. And also if you need to allow a non-root to run
sethdlc(-new) you'll also need the same user to run ifconfig on the
newely-generated network interface.

Hence chances are you'll need to use sudo in such a scenario, with your
own script. And won't allow the user to just pass an arbitrary interface

               Tzafrir Cohen       
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com       
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

More information about the asterisk-dev mailing list