Re: hardlinks to setuid binaries

To: Jan Schaumann <jschauma%netmeister.org@localhost>
Subject: Re: hardlinks to setuid binaries
From: Robert Elz <kre%munnari.OZ.AU@localhost>
Date: Sat, 26 Mar 2022 04:42:55 +0700

    Date:        Fri, 25 Mar 2022 09:37:38 -0400
    From:        Jan Schaumann <jschauma%netmeister.org@localhost>
    Message-ID:  <20220325133738.GS1131%netmeister.org@localhost>

  | Now the sysadmin updates the sudo package, fixing the
  | vulnerability, but your ~/.sudo remains vulnerable.

It depends how the update is done.   unlink old, install new,
will have that effect, but chmod 0 old, unlink old, install
new does not, nor does cp new old (in all cases, with
needed chown, chmod, etc, done after the binary update as well).

The link isn't the real problem, but like a lot of things, it is
easier to place blame where it doesn't belong rather than
accept it where it does.

kre

Follow-Ups:
- Re: hardlinks to setuid binaries
  - From: Jan Schaumann
- Re: hardlinks to setuid binaries
  - From: Brook Milligan

References:
- hardlinks to setuid binaries
  - From: Jan Schaumann

Prev by Date: Re: hardlinks to setuid binaries
Next by Date: Re: hardlinks to setuid binaries
Previous by Thread: Re: hardlinks to setuid binaries
Next by Thread: Re: hardlinks to setuid binaries
Indexes:

Home | Main Index | Thread Index | Old Index