[Pkg-shadow-devel] Bug#628843: Ping

Arne Wichmann aw at anhrefn.saar.de
Wed Oct 19 13:07:56 UTC 2011

begin  quotation  from Nicolas François (in <20111017211732.GJ16703 at nekral.nekral.homelinux.net>):
> On Sun, Oct 16, 2011 at 05:20:31PM +0200, bubulle at debian.org wrote:
> > Quoting Arne Wichmann (aw at anhrefn.saar.de):
> > > This critical bug is now pending for more than 3 months. Is there any
> > > update on the situation?
> > 
> > Nicolas should actually release upstream 4.1.5 and then upload
> > 4.1.5-1. Nicolas?
> Yes, this is the plan.
> There are still some untested changes, and I still have a few uncommitted
> changes on my tree.
> Regarding this bug
>  * Arne, I do not know if your ping was related to the potential security
>    impact, but it could help to have an assessment of the proposed solution
>    (and also comment 46)

Ok, let me think...

- @@ -264,6 +264,11 @@
  This has the effect that "su -c ... " can no longer be used to call
  programs which use terminals - for example dialog. This should at least
  be prominently documented.

The rest looks like it could work. But I would not call myself a specialist
on Unix tty-handling.

The last sentence applies to comment 46, too.

>  * It did not seem that critical to me (e.g. in the pointed
>    comp.security.oss.general thread, there were no agreement for a CVE)

I do not really want to argue about bug severity here - this assessment is
better left to you. I did however use su in the past in non-interactive
scripts to lower privileges - if this isn't supported it should at least be
documented, again... ;-)


[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw at linux.de)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20111019/ed2b711e/attachment.pgp>

More information about the Pkg-shadow-devel mailing list