Ah, probably true that. Since I'm only very partially college educated, I didn't get to meet a lot of the profs around campus. Just seemed to me that they'd all be like engineering geeks or something, you know the types.
I was actually reading the descriptions from the web pages linked to in my parent (which I don't have on screen anymore, sorry) and it said the only program that ran setuid would've been the spooler program, that actually writes the mail to the spool file. Sort of a memory - to - disk pipe, if I gather right. (i've never looked at qmail, so this is all conjecture so far)
I'm curious how to get port 25 if you're not setuid. (there's probably some permissions list somewhere that I don't know about)
On the other hand, as the spool files themselves should be owned by the actual user they belong to, rather than to root, the spooler program although being setuid should never run at a privilege level. The only reason it should be setuid is so that it can change it's uid to one with lower permissions. It should run with zero privilege level for anything that it's doing except actually writing to the file, when it should be executing as the user that owns that file.
Am I making sense, or just appearing like a raving lunatic, because although I use Linux every day, the last time I actually cared about anything on the internal side of a Unix, System III Unix was the new kid on the block?
oh, determine your host's ip via name, then search for "smtp.yourhost.com", or something along those lines, to find your ISP's mail server.. and if that fails, then try a pre-coded IP address for some known relay server...
i don't know of a Unix that denies network access at the protocol level for any user/process, even if it is completely unprivileged. Once it's in, it can access the network.
I don't know a "normal" linux distribution except maybe gentoo that doesn't automagically install sendmail or some other mailer program, without giving you even the option of turning it off. Mail is one of the basic functions of the multi-user system design, although since the vast majority of Unix workstations out there are now multi-user systems with only one user... times need to go achangin!
Anyone that doesn't use dynamic allocation should basically be shot, if their program ever takes user input. And what sort of a program doesn't take user input? Damn few... (chorus: and they're all dead!)
Hmm. $500 for finding a security hole? If he were that great, don't you think some commercial vendor would have scooped him up? Even if he IS a total asshat? Either a software producing company, or a security auditor, or something?
Oh, his judgment is final. Of course, no one will ever win, if he's the supreme asshat that everyone here is making him out to be.
On the qmail one, he specifically states that it must be an attack that would allow it to take over another account, or take over the machine, excluding DoS attacks.
His description of what 'sendmail' does makes absolutely no sense to me, although I've never really made any sense out of 'sendmail' either..
About the only thing that could possibly be exploited and would qualify could be anything that might cause it to dump bad data to a user's mail spool, which could then take advantage of bugs in some other mail program. The only thing in his qmail system that runs with ANY privileges is basically just a pipe from memory to a file.
I would like to know how he gets ahold of port 25 for SMTP, without having any privileges though.. last I knew, getting ports below 1000 required root access? Or has that changed in the last several years since I've done any caring about Internet protocols?
He's basically got a contest that says "i make the rules, and the rules say no one can win, so fark you"
Hmm. I was under the impression that college professors only got laid a few times in their lives, and that was likely back when they were students, themselves.
And probably not even likely then, when we're talking about advanced subjects...
Hmm. I'm going to make some code modifications to jpeg-lib that refuse to decode anything that shape-resembles goatse-man, including the TIME cover.
Oh, and fix some buffer exploits.
You are absolutely correct, compared to the parent. No dataset should ever cause a program to execute arbitrary code, unless that's that programs PURPOSE is to execute arbitrary code.
The BSD Copyright notice was distributed with the last versions of Windows that I used (3.11, 95, 98) specifically to cover the BSD Sockets code.. I don't know about future releases.. but.. since just about every socket implementation there ever was is based on BSD Sockets code... well, I don't think anyone really cares all that much.
(Is Linux's socket code still based on BSD? Or did it get re-written somewhere in the last 2 major versions?)
I couldn't even comprehend the "readable" version of the Perl one. Gave me a freakin headache, and it isn't full of ``````````''''''''' like most Perl scripts i've seen are.
I've never even looked at Python before, and I could kinda follow it a little.
What the hell moron moderated this Insightful? I've got mod points, but I've already posted in this thread, so I can't fix it.. Jesus, don't you guys ever -read- posts?
back when Napster was king, I wrote a little client/server-based system, that would keep track of who had what files available for trade, details about the files, and details on how to contact the person who had them.
Never bothered writing a client, but the server was written in LPC (the LP-Mud language, yes), in like 24 lines, and was definitely more functional than napster's servers were, and could probably scale better as well, not that i ever really tested it for that.
Hell, my initial plan was just to have it be a central repository of FTP server information.. what would be the legality of that? Apparently it would be totally illegal now, as that's basically what Napster did, and it was deemed illegal (wasn't it?)
So, having a central list of publicly available files and where to get them is illegal.. hmm..
Sounds like phone directories have now become illegal too!
Well, I agree there too, but the parent to your post was trash talking that show.. Isn't that just the most hilarious? especially when you're a little buzzed,at the bar?
See my previous posted labeled "technology, tires, and titties."
MacGyver and Star Trek: technology, technology, technology.
Apparently you don't watch CNN much, because CNN is just absolutely FULL of "male enhancement" ads and has been for years before Spike ever existed.
Maybe if 9-out-of-10 times they are portrayed as sex-crazed idiots.. hmm.. looko around you. find a random sampling of 100 adult males.. tell me that 90 of them -aren't- sex-crazed idiots.. if you succeed in doing that, try with 1000 vs 900. I'm sure the more people you interview the worse it gets, not the better.
Scantily clad women have absolutely nothing to do with classic muscle cars, either.. but.. what do you see on the cover of every muscle car magazine in the world? Some chick with her tits bustin out her top, for the whole world to check out. They know damn well it ain't got nothin to do with the cars, and all it's doing is giving you something you care even MORE about looking at than tires... tits. (technology, tires, and titties.. the three things men love)
I think now we know why Half-Life 2 took 5-6 years to develop, and get running:
The artists had enough money from the sales of the first game, and all the other add-ons, that they were able to actually see what a REAL woman looks like, live and IN THE FLESH. w00t.
From what I understand the level of voice compression that T-Mobile and Cingular use is so high, because their bandwidth and capacity is so limited, that it makes everything sound like garbage. From what I understand, GSM is a great system.. just here in the U.S. it absolutely sucks ass in implementation.
Lots and lots and lots of people have been asking me the last couple of days "what's going on with Sprint-Nextel?".. looks like people can't -wait-. One guy who had like thirty nextel phones was tellin me that he really wanted all new equipment, and was waiting for this to happen. *shrug*
I can't speak for service specifically in Southern California, but no one in their right mind buys a local only plan anyway.. and sure, your local area with T-Mobile is.. anywhere they have service. Which, by the way, is virtually nowhere. There's a reason they are the smallest physical network. And the sound quality is like garbage cans rattling in an alleyway.
Nextels also do the same. This explains why all my friends with T-Mobile and Suckular know their phones are going to ring, when they are at my house.. every damn speaker in my house starts screeching about a second before their phones start ringing.
Slashdot Mirror
Ah, probably true that. Since I'm only very partially college educated, I didn't get to meet a lot of the profs around campus. Just seemed to me that they'd all be like engineering geeks or something, you know the types.
I was actually reading the descriptions from the web pages linked to in my parent (which I don't have on screen anymore, sorry) and it said the only program that ran setuid would've been the spooler program, that actually writes the mail to the spool file. Sort of a memory - to - disk pipe, if I gather right. (i've never looked at qmail, so this is all conjecture so far)
I'm curious how to get port 25 if you're not setuid. (there's probably some permissions list somewhere that I don't know about)
On the other hand, as the spool files themselves should be owned by the actual user they belong to, rather than to root, the spooler program although being setuid should never run at a privilege level. The only reason it should be setuid is so that it can change it's uid to one with lower permissions. It should run with zero privilege level for anything that it's doing except actually writing to the file, when it should be executing as the user that owns that file.
Am I making sense, or just appearing like a raving lunatic, because although I use Linux every day, the last time I actually cared about anything on the internal side of a Unix, System III Unix was the new kid on the block?
I would mod this Funny, several times over, if I hadn't already commented a million times within this thread....
oh, determine your host's ip via name, then search for "smtp.yourhost.com", or something along those lines, to find your ISP's mail server.. and if that fails, then try a pre-coded IP address for some known relay server...
i don't know of a Unix that denies network access at the protocol level for any user/process, even if it is completely unprivileged. Once it's in, it can access the network.
I don't know a "normal" linux distribution except maybe gentoo that doesn't automagically install sendmail or some other mailer program, without giving you even the option of turning it off. Mail is one of the basic functions of the multi-user system design, although since the vast majority of Unix workstations out there are now multi-user systems with only one user... times need to go achangin!
Anyone that doesn't use dynamic allocation should basically be shot, if their program ever takes user input. And what sort of a program doesn't take user input? Damn few... (chorus: and they're all dead!)
Hmm. $500 for finding a security hole? If he were that great, don't you think some commercial vendor would have scooped him up? Even if he IS a total asshat? Either a software producing company, or a security auditor, or something?
Oh, his judgment is final. Of course, no one will ever win, if he's the supreme asshat that everyone here is making him out to be.
On the qmail one, he specifically states that it must be an attack that would allow it to take over another account, or take over the machine, excluding DoS attacks.
His description of what 'sendmail' does makes absolutely no sense to me, although I've never really made any sense out of 'sendmail' either..
About the only thing that could possibly be exploited and would qualify could be anything that might cause it to dump bad data to a user's mail spool, which could then take advantage of bugs in some other mail program. The only thing in his qmail system that runs with ANY privileges is basically just a pipe from memory to a file.
I would like to know how he gets ahold of port 25 for SMTP, without having any privileges though.. last I knew, getting ports below 1000 required root access? Or has that changed in the last several years since I've done any caring about Internet protocols?
He's basically got a contest that says "i make the rules, and the rules say no one can win, so fark you"
Lordy, IO, don't you know enough by now to NOT EVER talk about "the last bug"?? Now you've got 400 more. :P
Hmm. I was under the impression that college professors only got laid a few times in their lives, and that was likely back when they were students, themselves.
And probably not even likely then, when we're talking about advanced subjects...
Hmm. I'm going to make some code modifications to jpeg-lib that refuse to decode anything that shape-resembles goatse-man, including the TIME cover.
Oh, and fix some buffer exploits.
You are absolutely correct, compared to the parent. No dataset should ever cause a program to execute arbitrary code, unless that's that programs PURPOSE is to execute arbitrary code.
The BSD Copyright notice was distributed with the last versions of Windows that I used (3.11, 95, 98) specifically to cover the BSD Sockets code.. I don't know about future releases.. but.. since just about every socket implementation there ever was is based on BSD Sockets code... well, I don't think anyone really cares all that much.
(Is Linux's socket code still based on BSD? Or did it get re-written somewhere in the last 2 major versions?)
I'm sure that a TV channel dedicated to weiners, and other female interests would attract just as many women as SpikeTV attracts men..
err.... /home/eblade# wine ~/windows/msoffice/word.exe
;)
There we go
Not that I actually own word, or have copies of it, because I don't. I don't own anything microsoft, except a mouse.
I couldn't even comprehend the "readable" version of the Perl one. Gave me a freakin headache, and it isn't full of ``````````''''''''' like most Perl scripts i've seen are.
I've never even looked at Python before, and I could kinda follow it a little.
What the hell moron moderated this Insightful? I've got mod points, but I've already posted in this thread, so I can't fix it.. Jesus, don't you guys ever -read- posts?
back when Napster was king, I wrote a little client/server-based system, that would keep track of who had what files available for trade, details about the files, and details on how to contact the person who had them.
Never bothered writing a client, but the server was written in LPC (the LP-Mud language, yes), in like 24 lines, and was definitely more functional than napster's servers were, and could probably scale better as well, not that i ever really tested it for that.
Hell, my initial plan was just to have it be a central repository of FTP server information.. what would be the legality of that? Apparently it would be totally illegal now, as that's basically what Napster did, and it was deemed illegal (wasn't it?)
So, having a central list of publicly available files and where to get them is illegal.. hmm..
Sounds like phone directories have now become illegal too!
Well, I agree there too, but the parent to your post was trash talking that show.. Isn't that just the most hilarious? especially when you're a little buzzed ,at the bar?
See my previous posted labeled "technology, tires, and titties."
MacGyver and Star Trek: technology, technology, technology.
Apparently you don't watch CNN much, because CNN is just absolutely FULL of "male enhancement" ads and has been for years before Spike ever existed.
Maybe if 9-out-of-10 times they are portrayed as sex-crazed idiots.. hmm.. looko around you. find a random sampling of 100 adult males.. tell me that 90 of them -aren't- sex-crazed idiots.. if you succeed in doing that, try with 1000 vs 900. I'm sure the more people you interview the worse it gets, not the better.
Scantily clad women have absolutely nothing to do with classic muscle cars, either.. but.. what do you see on the cover of every muscle car magazine in the world? Some chick with her tits bustin out her top, for the whole world to check out. They know damn well it ain't got nothin to do with the cars, and all it's doing is giving you something you care even MORE about looking at than tires... tits. (technology, tires, and titties.. the three things men love)
I think now we know why Half-Life 2 took 5-6 years to develop, and get running:
The artists had enough money from the sales of the first game, and all the other add-ons, that they were able to actually see what a REAL woman looks like, live and IN THE FLESH. w00t.
From what I understand the level of voice compression that T-Mobile and Cingular use is so high, because their bandwidth and capacity is so limited, that it makes everything sound like garbage. From what I understand, GSM is a great system.. just here in the U.S. it absolutely sucks ass in implementation.
.. looks like people can't -wait-. One guy who had like thirty nextel phones was tellin me that he really wanted all new equipment, and was waiting for this to happen. *shrug*
Lots and lots and lots of people have been asking me the last couple of days "what's going on with Sprint-Nextel?"
I can't speak for service specifically in Southern California, but no one in their right mind buys a local only plan anyway.. and sure, your local area with T-Mobile is .. anywhere they have service. Which, by the way, is virtually nowhere. There's a reason they are the smallest physical network. And the sound quality is like garbage cans rattling in an alleyway.
It definitely wouldn't be a problem being within range, if you're at an altitude low enough to smash into buildings.
Nextels also do the same. This explains why all my friends with T-Mobile and Suckular know their phones are going to ring, when they are at my house.. every damn speaker in my house starts screeching about a second before their phones start ringing.
CDMA doesn't do this.
CDMA-1900 also doesn't work in the air.
You need to find a provider that is not Cingular or T-Mobile, so that your conversations don't sound like that. :)