Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

ddick (5726)

  (email not shown publicly)

I'm based out of Melbourne, Australia. I attend the excellent meetings whenever i get the chance, which is not often enough.

Journal of ddick (5726)

Sunday March 16, 2008
01:51 AM

Security Issue or Not?

[ #35913 ]

I've been experimenting with sending sms.

One of the available programs for this is smstools. Smstools requires the sender of the sms to write to a directory that the sms daemon monitors.

However, Fedora requires root permissions to write to that directory. Debian requires that you are the smsd user (who is a member of the dialout group). Neither system gives write privileges to a group.

Now, from the point of view of a user interacting with these packages, both provide the annoying problem that a set-uid binary is required, simply to send an sms.

However, i think this is also a security hole as well. Not in the actual package, but in that to use the package, a normal user must go through a privilege escalation process. Every system that wants to send an sms has to therefore write their own custom set-uid script/binary, causing the un-necessary potential for set-uid bugs/system takeover.

The Debian package of course only has the potential to elevate to smsd, but since smsd has the potential to send unlimited sms and erase all trace of it, the horror is still pretty real.

Does a security bug against these packages seem justified?

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.