Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)

[Larry W. Virden, x2487]

> Being able to read/copy files is =not= really an issue.  Postulating any
> sort of effective _system_ management, LYNX is either running _as_the_user_
> who invoked it; or in the case where it's being used as a 'public access' 
> browser/viewer it is running as _it's_own_ userid.  In _either_ case, the
> *system* access-controls are still in effect, and unless LYNX is running 
> with an effective userid of _root_, cannot access any 'sensitive' files.
> Note: '/etc/passwd' is *not* a 'sensitive' file, on a properly managed 
> system.  Everybody *should* be running 'shadow passwords' at this point,
> whereupon the readability of /etc/passwd is not a "significant" issue.

However, in any situation where shadow passwords are not available,
it _is_ a problem.  Also, one's definition of 'sensitive' may be
debatable.  Some naive admins may think that anything not specifically
pointed to by an HTML page is 'safe'.  This is not the case, since
the CERT announcement has shown that other files can be accessed.
-- 
Larry W. Virden                 INET: address@hidden
<URL:http://www.teraform.com/%7Elvirden/> <*> O- "We are all Kosh."
Unless explicitly stated to the contrary, nothing in this posting should 
be construed as representing my employer's opinions.
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;