Download Firefox: WindowsMac OS X
logo       
Google Custom Search
    AddThis Social Bookmark Button
<prev   next>

Re: Debian unstable suid/sgid list: msg#00015

Subject: Re: Debian unstable suid/sgid list 
On Mon, Jun 28, 2004 at 02:30:09PM +0200, Javier Fernández-Sanguino Peña wrote:

> A simple way to find these is finding if the following directories [1] are
> used in the source code (of code or scripts):
> 
> /var/cache/fonts/{pk,source,tfm}
> /var/spool/texmf/{pk,source,tfm}
> /var/lib/php4

> /var/lock/
> /tmp/
> /var/tmp/
> 
> Do you believe you could code also an interface to search for
> files/packages which use those? I currently do this by hand but I think it
> would be great to be able to do this using my local Debian mirror copy.

That sound good, I was thinking to include more information. Trouble is
that my script scans only binary packages at this time and the machine
I'm doing this on is alreay at 95% of it's disk capacity, so there's not
really much room for including source packages.

That is, unless there is a mechanism that I could use to automatically
track new packages that enter the archive. That would take away the need
for a complete mirror and I could just delete the processed packages.

Any ideas how to do that? The buildds must be doing something similar..

> Errors of that kind are usually trivial to find/exploit/fix so I'm focusing 
> on them (I have a list of packages I need to bug/patch related to this).

> Also, it would be great if someone coded in a way to automaticall run some
> automatic auditing software (such as RATS/Flawfinder/Pscan) and have that
> indexed in a way similar to how lintian.debian.org does it. It could make
> it easy to find packages which need to be analysed in depth. Any volunteer? 
> :-)

That would be nice indeed. Some of the bugs I've come across could have
been found easily with an automated vulnerability scanner. Especially
stuff like passing user-controllable format strings to syslog() just
shouldn't happen any more..

The script could also scan packages for other interesting facts like

  "includes header file sys/socket.h"
  "installs into /etc/cron*"
  "installs into /usr/lib/cgi-bin"
  ..

Anyone with big enough a machine to have this run on? :)

I'd volunteer to write the extraction scripts.

Cheers,
Max

-- 
308E81E7B97963BCA0E6ED889D5BD511B7CDA2DC
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Debian unstable suid/sgid list, Max Vozeler
Next by Date:  Re: Debian unstable suid/sgid list, Steve Kemp
Previous by Thread:  Re: Debian unstable suid/sgid list, Max Vozeler
Next by Thread:  Re: Debian unstable suid/sgid list, Steve Kemp
Indexes:  [Date] [Thread] [Top] [All Lists]

    ^^^ ADDITIONAL NAVIGATION ^^^

  
Google Custom Search

Recently Viewed:
emacs.dvc.devel...    java.displaytag...    ietf.rfc822/199...    linux.altlinux....    redhat.fedora.r...    python.ctypes/2...    video.panorama/...    freedesktop.xor...    audio.emagic.lo...    netbsd.devel.us...    documentation.t...    yellowdog.gener...    gnome.mono.mono...    bacula.user/200...    shells.bash.bug...    xfree86.devel/2...    culture.bicycle...    mozilla.devel.n...    web.squid.gener...    user-groups.gul...    kde.amarok.bugs...    org.user-groups...    handhelds.linux...    tex.context/200...   
Home | blog view, Court Document Archive | USPTO Patent Archive (NEW!) | advertise | OSDir is an inevitable website. super tiny logo