|
Home > Archive > Debian Developers > October 2005 > Removing system users on purge [Re: Bits from the release team: the plans for etch]
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Removing system users on purge [Re: Bits from the release team: the plans for etch]
|
|
| Don Armstrong 2005-10-26, 6:03 pm |
| On Wed, 26 Oct 2005, Javier Fern=E1ndez-Sanguino Pe=F1a wrote:
> On Wed, Oct 26, 2005 at 05:24:28PM +0200, Frank K=FCster wrote:
>=20
> Non-issue, as I said in the end of my post, those should be removed
> on purge.
The log files that are created by the default package configuration
should be removed, but custom modifications to the configuration can
cause logfiles to be created elsewhere that are owned by the user in
question.
Case reopened.
Don Armstrong
--=20
UF: What's your favourite coffee blend?
PD: Dark Crude with heavy water. You are understandink? "If geiger
counter does not click, the coffee, she is just not thick."
http://www.donarmstrong.com http://rzlab.ucr.edu
| |
| Stephen Frost 2005-10-26, 6:03 pm |
| * Don Armstrong (don@debian.org) wrote:
> On Wed, 26 Oct 2005, Javier Fernández-Sanguino Peña wrote:
>
> The log files that are created by the default package configuration
> should be removed, but custom modifications to the configuration can
> cause logfiles to be created elsewhere that are owned by the user in
> question.
Have we actually got a specific case of this happening and there being a
real security threat from it? Seems like an aweful lot of hand-waving
and concern for a possible scenario that doesn't seem to have actually
happened much (if it all, so far all I've seen has been pure
speculation). An admin can set root's password to 'password' and allow
remote root login too, and that probably happens with greater frequency
than the scenario being put forth here.
Thanks,
Stephen
| |
| Thomas Bushnell BSG 2005-10-26, 6:03 pm |
| Stephen Frost <sfrost@snowman.net> writes:
> Have we actually got a specific case of this happening and there being a
> real security threat from it? Seems like an aweful lot of hand-waving
> and concern for a possible scenario that doesn't seem to have actually
> happened much (if it all, so far all I've seen has been pure
> speculation).
There isn't any particular reason I can see for wanting to remove the
old id's from /etc/passwd. Nothing concrete has been proposed.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Stephen Frost 2005-10-28, 4:51 pm |
| * Frank K?ster (frank@debian.org) wrote:
> Stephen Frost <sfrost@snowman.net> wrote:
>
> When I ran a samba server years ago, I changed the default log file names
> and, IIRC, location.
Were they owned by the samba uid? Were they terribly sensitive? Did
you ever actually uninstall samba? Was the samba uid reused? Was there
an actual compramise of the files by another daemon?
I'm looking for actual cases of this 'security hole' being exploited, or
even getting to the point where files ended up actually owned by the
wrong uid.
Thanks,
Stephen
|
|
|
|
|