mailing list archives
Re: Security problem in ESRI's ArcDoc 7.0.4
From: jwa () nbs nau edu (James W. Abendschan)
Date: Fri, 24 May 1996 19:12:46 -0700
Way back on May 24, 11:05am, "Sven.Wijk" wrote:
The program doesn't seem to be there in the version we are running (7.0.2).
Downgrading might be an alternative solution. Please correct me if i'm wrong!
Downgrading might work, but Arc/Info is so buggy we *need* 7.0.4. I
just removed the suid bit from fm_fls; it seems to not have any adverse
A quick search in the ArcInfo directories showed 4 other programs suid to root.
Do we have a potential for problems?
-rwsr-sr-x 1 root root 1319912 Jan 21 01:31 ./arcexe70/programs/asmaster
-rwsr-sr-x 1 root root 5871192 Jan 21 01:32 ./arcexe70/programs/asrecovery
-rwsr-sr-x 1 root root 6059112 Jan 21 01:32 ./arcexe70/programs/asuser
-rwsr-sr-x 1 root root 1110856 Jan 21 01:32 ./arcexe70/programs/asutility
-rwsr-sr-x 1 root root 3724136 Jan 29 12:00 ./arcexe70/programs/se
-rwsr-sr-x 1 root root 24464 Jan 21 01:31 ./arcexe70/programs/wservice
-rwsr-sr-x 1 root root 20016 Jan 21 01:20 ./arcexe70/programs/abservice
-rwsr-sr-x 1 root root 3200832 Jan 21 01:20 ./arcexe70/programs/asbuil
I suppose statistically, there must be at least one security bug in
programs this large. Unfortunately (?), all but two of these won't run on our
system (we don't have a license for them.)
Our GIS-people earlier looked at ESRI's product ArcStorm. Its client-server
solution is built on:
- a bunch of programs suid to root
- the client must be trusted hosts to the server, by means of the /etc/.rhost
or /etc/host.equiv file.
This made me very uneasy, and i finaly managed to get them to drop their
ArcStorm-dreams, and to search for some more security minded solution.
It seems that security isn't a high priority issue for ESRI's developers.
Nor is bug-free code, but this isn't alt.esri.bash.bash.bash ..
James W. Abendschan Email: jwa () nbs nau edu
UNIX Systems Programmer/Administrator Phone: (520) 556-7466 x238
Colorado Plateau Research Station, Flagstaff, AZ Voice mail: *516