First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 129914
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Eduardo Tongson <propolice@gmail.com>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 129914 depends on: Show dependency tree
Bug 129914 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-04-14 01:56 0000 
Fixed in 0.30.210

"""snip"""
I tried to use "vserver [servername] suexec [username] [command]" in my startup
scripts, but instead of running as the user I expected, the process ran as root
within the vserver.

I learned that suexec takes a userid Number, instead of a username String.
Since the usual result of pushing alphabetical characters through a
convert-to-number function is 0, which is the userid of root...

Invalid parameters should al least return an error, not run with extra
priviledges. =)
"""snip"""

------- Comment #1 From Benedikt Böhm 2006-04-14 04:18:07 0000 ------- 
thi has not been fixed in 0.30.210, the patch has been added to 0.30.210-r12
and hopefully it will get in 0.30.211 upstream... although r12 is in for a few
days, i made it stable, previous revisions got massive testing anyway..

------- Comment #2 From Sune Kloppenborg Jeppesen 2006-04-14 04:24:25 0000 ------- 
This is ready for GLSA decision. I vote a full NO.

Not even sure it's a security issue.

------- Comment #3 From Thierry Carrez (RETIRED) 2006-04-14 13:28:24 0000 ------- 
Full NO and closing.
First Last Prev Next    No search results available      Search page      Enter new bug