Subject: Re: chroot jail for ftpd
To: Perry E. Metzger <perry@wasabisystems.com>
From: gabriel rosenkoetter <gr@eclipsed.net>
List: tech-security
Date: 10/18/2001 14:00:43
--UHN/qo2QbUvPLonB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Oct 17, 2001 at 10:12:21PM -0400, Perry E. Metzger wrote:
> So we tell people with giant large letters to  chmod +x /usr/lib/lib*so.*
> and be done with it. Better than leaving this go forever.

How does this handle file systems mounted noexec (I would hope no
one thinks they can get away with this on /*/lib/, but you never
know)?

How about shared libraries the user builds themselves, perhaps not
software they wrote but using a third party Makefile that doesn't
include the correct permissions in its install rule? "Don't build
your own software," is a pretty lame response to these people...

If your point is that users should get a clue, I'm with you, but
what are the chances?

I've got a feeling that the problem we really want to fix is shared
libs on noexec filesystems, not shared libs minus the execute bit
in the file system...

--=20
       ~ g r @ eclipsed.net

--UHN/qo2QbUvPLonB
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjvPGMsACgkQ9ehacAz5CRpi4QCfWaKKmOwfx24QMHDMxK5V9vw6
7H8AoK4HlDd643quf4oxik0xDi3WM1nh
=8Px8
-----END PGP SIGNATURE-----

--UHN/qo2QbUvPLonB--