Home page logo

bugtraq logo Bugtraq mailing list archives

Re: TESO & C-Skills development advisory -- imwheel
From: whitevampire () MINDLESS COM (WHiTe VaMPiRe)
Date: Sun, 19 Mar 2000 11:31:56 -0500

On Thu, Mar 16, 2000 at 02:38:47PM +0100, Sebastian(krahmer () CS UNI-POTSDAM DE) wrote:
: TESO Security Advisory
: 2000/03/13
: imwheel local root compromise

        The Slackware package available from Linuxmafia.org
(http://linuxmafia.org/pcentral/search_view.php3?name=imwheel) is not
effected by this, as it does not package with the SUID wrapper.  (The
binary included is also not set SUID.) This is with version 0.9.6 of

        A SUID wrapper should simply not be necessary in the first

        As far as I can tell the standard package of imwheel 0.9.7 does
not have a wrapper.  However, during 'installation,' it will prompt you
asking whether or not to install SUID.

An excerpt from the Makefile:

        ## Setting UID, this is best for non-root usage!
        ## This does not effect usage for root users. (duh!)
        ## This gives all users kill privileges for other imwheel processes.

        Judging from that, if you setup imwheel to be started via the
users' xinit scripts, and killed upon logout, it would have the same

        To reiterate, SUID is just a quick cop-out for a better 
setup.  If it is a one-user desktop machine, even less than that would
have to be done.


    __      ______   ____
   /  \    /  \   \ /   / WHiTe VaMPiRe\Rem
   \   \/\/   /\   Y   /  whitevampire () mindless com
    \        /  \     /   http://www.projectgamma.com/
     \__/\  /    \___/    http://www.gammaforce.org/
          \/ "Silly hacker, root is for administrators."

<LI>application/pgp-signature attachment: stored

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]