On 4th April I posted a message concerning the dxconsole security fix SSRT0358
mentioned in CERT bulletin VB-96.05. I postulated that the installation
instructions probably left the security hole open by recommending that the old
version of dxconsole be renamed dxconsole.orig without removing access to it
or removing its setuid-root privilege.
Nobody was able to confirm positively that the hole remained open, but several
people thought I was probably right.
One person suggested that things were probably OK because the fact that the
new dxconsole was running would prevent the old one from being exercised. I
believe this is a fallacious argument for the following reasons:
- My experience is that running a new instance of dxconsole will "take over"
from the old.
- The mere existence of a dodgy program with setuid-root is a cause for
concern.
- There is no compulsion to run dxconsole at all, so the premise on which
the argument is based has no foundation.
Based on the available evidence, I would strongly recommend anybody who
installs this security fix to (at least) remove the setuid bit from the old
version of dxconsole. At my own installation I've actually deleted it; I can
always get it back from the CDROM if I need it.
--
Martyn Johnson maj_at_cl.cam.ac.uk
University of Cambridge Computer Lab
Cambridge UK
Received on Tue Apr 23 1996 - 19:30:49 NZST