Security Advisory: usermode [2003:031-1] Failure CORRECTED!

[aru]

MandrakeSoft Security Advisory MDKSA-2003:031-1 : usermode

 

March 14th, 2003

Updated usermode packages remove insecure shutdown command

 

The /usr/bin/shutdown command that comes with the usermode package can be executed by local users to shutdown all running processes and drop into a root shell. This command is not really needed to shutdown a system, so it has been removed and all users are encouraged to upgrade. Please note that the user must have local console access in order to obtain a root shell in this fashion.

 

Update:

 

The previous updated packages did not properly fix the problem. The pam files that allow a (physically) local user to shutdown were not removed. This has been corrected.

 

 

The released versions of Mandrake GNU/Linux affected are:

• 8.1

 

[*] 8.1/IA64

 

[*] 8.2

 

[*] 8.2/PPC

 

[*] Multi Network Firewall 8.2

 

[*] Corporate Server 2.1

 

 

All the information about this advisory is available at:

www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:031-1

 

This stuff was posted automatically by aru

 

[edit]Changed title to avoid confusions[/edit]

[aru]

Well, ..., I'm the best 8)

 

I did already posted that solution at:

http://www.mandrakeusers.org/viewtopic.php?t=3610

 

Just my pathetic minute of glory :mrgreen:

[Guest ndeb]

The updates for mandrake-9.0 are in ftp://mirrors.secsup.org/pub/linux/mandra...pdates/9.0/RPMS even though the advisory does not list the rpms for mandrake-9.0 yet (which is strange because this bogus bug-fix was discovered on a mandrake-9.0 system).