• Next message: AA24000: "Help installing linux SLS on a 486 with 2 hard drives"
• Previous message: Dave Williams: "Re: disk partitioning for linux (at last!)"
• Next in thread: Jeffrey A Waller: "Re: ANNOUNCE: GNUPLOT 3.2 uploaded to sunsite.unc.edu"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

From: joel@wam.umd.edu (Joel M. Hoffman)
Subject: Re: ANNOUNCE: GNUPLOT 3.2 uploaded to sunsite.unc.edu
Date: Fri, 26 Feb 1993 14:56:02 GMT

In article <HEIM2.93Feb26135029@sally.peanuts.informatik.uni-tuebingen.de> heim2@peanuts.informatik.uni-tuebingen.de (Gerald Heim) writes:
>
>Hi
>
>People that want to install gnuplot with builtin vga-driver
>should be aware that gnuplot has a SHELL-ESCAPE!
>It should never ever been installed suid root!
>
>As suggested by hank@Blimp.automat.uni-essen.de, permissions
>should probably look like that:
>
>-rwxr-sr-x 1 bin mem 238596 Dec 4 11:02 /usr/local/bin/gnuplot*
>crw-rw---- 1 root mem 1, 2 Aug 29 23:48 /dev/kmem
>crw-rw---- 1 root mem 1, 1 Aug 29 23:48 /dev/mem
>
>... if you don't want others to become root w/o password :->

Unfortunately, this too is a security hole. The whole point not
making /dev/[k]mem world readable is that doing so is a secuty hole.
With the permissions you suggest, anyone can run gnuplot, escape to a
shell, and access /dev/[k]mem. Bad idea.

I guess a better solution would be to modify the shell escape to
restore the old userid.

-Joel

• Next message: AA24000: "Help installing linux SLS on a 486 with 2 hard drives"
• Previous message: Dave Williams: "Re: disk partitioning for linux (at last!)"
• Next in thread: Jeffrey A Waller: "Re: ANNOUNCE: GNUPLOT 3.2 uploaded to sunsite.unc.edu"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]