Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Vista
How not to respond to a security advisory
Jason Miller, 2006-01-18

A recently announced weakness in the BSD securelevel system isn't going to be fixed in OpenBSD. While securelevel may have problems, the vendor's security response is unacceptable and doesn't fit with their stated goals.

Comments Mode:
How not to respond to a security advisory 2006-01-19
Miles (3 replies)
Re: How not to respond to a security advisory 2006-01-19
Dwight
Re: How not to respond to a security advisory 2006-01-19
Anonymous
Secure levels as a control is too coarse grained 2006-01-19
Anonymous (1 replies)
Re: Secure levels as a control is too coarse grained 2006-01-21
Anonymous
How not to respond to a security advisory 2006-01-19
Anonymous
How not to respond to a security advisory 2006-01-19
Anonymous (1 replies)
Re: How not to respond to a security advisory 2006-01-25
Matthew Murphy
How not to respond to a security advisory 2006-01-19
DS
How not to respond to a security advisory 2006-01-19
Anonymous (2 replies)
Re: How not to respond to a security advisory 2006-01-19
Kelly Martin
Re: How not to respond to a security advisory 2006-01-21
Anonymous
How not to respond to a security advisory 2006-01-19
Anonymous
Linux security contact 2006-01-19
Anonymous
Theo being theo... 2006-01-19
Anonymous (2 replies)
Re: Theo being theo... 2006-01-20
Anonymous
But I don't see how this IS a security issue. If the attacker has root access, then you have bigger problems. If the attacker mounts another filesystem over an important immutable filesystem, then he will be working with privileges he ALREADY HAD on files which are NOT the immutable files. Temporarily he may have the appearance of having modified those files, but it is just a thin facade. Unmount or reboot and the original, unaltered files remain.

So by doing this the attacker can do more? If he is root to start with then you are kind of screwed anyway. He could have changed non-immutable files regardless of this so called "vulnerability" and at the same time he is still not be able to change any immutable files.

So where is the risk here?

Theo might seem coarse, but he has a proven track record and I think people should wait to hear his rationale before judging him. I have seen lots of non-issues get brought up against OpenBSD and it must get pretty tiring to hear people complain about them.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/380/32984#32984
Re: Theo being theo...(Theo is best!) :) 2006-01-23
LinuxUser
What total nonsense. 2006-01-19
Anonymous
How not to respond to a security advisory 2006-01-20
Anonymous (1 replies)
Re: How not to respond to a security advisory 2006-01-26
Anonymous
How not to respond to a security advisory 2006-01-20
Fred Cohen
TdR says loud what Linux & FreeBSD assume silently 2006-01-20
Anonymous
How not to respond to a security advisory 2006-01-20
Anonymous (1 replies)
Re: How not to respond to a security advisory 2006-01-23
LinuxUser
How not to respond to a security advisory 2006-01-21
Anonymous (1 replies)
Re: How not to respond to a security advisory 2006-01-24
Anonymous
"Root problem" again 2006-01-24
Alexey Vesnin
How not to respond to a security advisory 2006-01-25
Michael Favinsky (1 replies)
Re: How not to respond to a security advisory 2006-01-25
Anonymous (1 replies)
Re: Re: How not to respond to a security advisory 2006-02-04
Anonymous
this is a non-issue 2006-02-04
Anonymous







 

Privacy Statement
Copyright 2008, SecurityFocus