LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: December 19th, 2014
Linux Advisory Watch: December 12th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: February 4th 2005 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Security Week This week, advisories were released for squirrelmail, prozilla, cpio, openswan, enscript, zlib, gaim, cvs, openssl, curl, ruby, rhgh, file, net-tools, gimp, squid, dump, mc, dbus, kdepim, xpdf, kernel, ngIRCd, tikiwiki, f2c, ncfs, clamav, imap, chbg, vim, perl-dbi, and ethereal. The distributors include Debian, Fedora, Gentoo, Mandrake, and Red Hat.


Internet Productivity Suite: Open Source Security - Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more!

Getting to Know Linux Security: File Permissions

Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved.

Hello, my name is Benjamin Thomas and I am with Guardian Digital, the primary sponsor of LinuxSecurity.com Welcome to the first of the "Getting to know Linux Security" series tutorials that will be featured on our site. Today's topic is file permissions. This lesson is primarily intended for those users who are just getting started, and other wishing to brush up old skills. The examples I show you today are from a typical Linux command line. Today, I'll be using EnGarde Secure Linux. More information about this distribution can be found at Guardian Digital.com and it can be downloaded at EnGardeLinux.org.

Lets Begin. To see a listing of files in a directory, execute the command 'ls'. As you'll see, there are no files in the temporary directory that I'm using. Let's first create several files.

touch file1 file2 file3

The command 'ls' then shows the files we have created. A more informative way to show the files is ls -la. The 'l' switch lists files in long format and the 'a' switch lists all files, including hidden ones.

Click to view video demo:
http://www.linuxsecurity.com/content/view/118181/49/

 

LinuxSecurity.com Feature Extras:

The Tao of Network Security Monitoring: Beyond Intrusion Detection - To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant.

Encrypting Shell Scripts - Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output).

A 2005 Linux Security Resolution - Year 2000, the coming of the new millennium, brought us great joy and celebration, but also brought great fear. Some believed it would result in full-scale computer meltdown, leaving Earth as a nuclear wasteland. Others predicted minor glitches leading only to inconvenience. The following years (2001-2004) have been tainted with the threat of terrorism worldwide.

 

Bulletproof Virus Protection - Protect your network from costly security breaches with Guardian Digital’s multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. Click to find out more!

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.


   Debian
  Debian: New squirrelmail package fixes several vulnerabilities
  1st, February, 2005

Upstream developers noticed that an unsanitised variable could lead to cross site scripting.

http://www.linuxsecurity.com/content/view/118141
 
  Debian: New prozilla packages fix arbitrary code execution
  1st, February, 2005

Several buffer overflows have been discovered in prozilla, a multi-threaded download accelerator which could be exploited by a remote attacker to execute arbitrary code on the victim's machine. An exploit for prozilla is already in the wild.

http://www.linuxsecurity.com/content/view/118148
 
  Debian: New cpio packages fix insecure file permissions
  2nd, February, 2005

http://www.linuxsecurity.com/content/view/118163
 
   Fedora
  Fedora Core 3 Update: enscript-1.6.1-28.0.4
  31st, January, 2005

This update fixes another regression introduced by a recent update.

http://www.linuxsecurity.com/content/view/118131
 
  Fedora Core 3 Update: openswan-2.1.5-2.FC3.1
  28th, January, 2005

This erratum fixes the remote exploitation of a stack based buffer overflow vulnerability in Xelerance Corp.'s Openswan, which could allow attackers to execute arbitrary code.

http://www.linuxsecurity.com/content/view/118104
 
  Fedora Core 2 Update: elinks-0.9.1-1.1
  28th, January, 2005

http://www.linuxsecurity.com/content/view/118108
 
  Fedora Core 3 Update: elinks-0.9.2-2.1
  28th, January, 2005

Links is a text-based Web browser. Links does not display any images, but it does support frames, tables and most other HTML tags. Links' advantage over graphical browsers is its speed--Links starts and exits quickly and swiftly displays Web pages.

http://www.linuxsecurity.com/content/view/118109
 
  Fedora Core 2 Update: enscript-1.6.1-25.3
  28th, January, 2005

This update fixes a regression introduced by the last update.

http://www.linuxsecurity.com/content/view/118111
 
  Fedora Core 3 Update: enscript-1.6.1-28.0.3
  28th, January, 2005

This update fixes a regression introduced by the last update.

http://www.linuxsecurity.com/content/view/118112
 
  Fedora Core 2 Update: zlib-1.2.1.2-0.fc2
  28th, January, 2005

Fixes 2 DoS issues

http://www.linuxsecurity.com/content/view/118113
 
  CORRECTION: Fedora Core 2 Update: gaim-1.1.2-0.FC2
  28th, January, 2005

Fixes a great many bugs. Refer to the official changelog for details.

http://www.linuxsecurity.com/content/view/118114
 
  CORRECTION: Fedora Core 3 Update: gaim-1.1.2-0.FC3
  28th, January, 2005

Fixes a great many bugs. Refer to the official changelog for details.

http://www.linuxsecurity.com/content/view/118115
 
  Fedora Core 3 Update: NetworkManager-0.3.3-1.cvs20050119.2.fc3
  31st, January, 2005

Remove bind+caching-nameserver dep for FC-3, use 'nscd -i hosts' instead. DNS queries may timeout now right after device activation due to this change.

http://www.linuxsecurity.com/content/view/118122

 
  Fedora Core 3 Update: openssl096b-0.9.6b-21
  31st, January, 2005

This update adds missing fix for CAN-2004-0081.

http://www.linuxsecurity.com/content/view/118126
 
  Fedora Core 2 Update: openssl096b-0.9.6b-20
  31st, January, 2005

This update adds missing fix for CAN-2004-0081.

http://www.linuxsecurity.com/content/view/118127
 
  Fedora Core 3 Update: curl-7.12.3-2
  31st, January, 2005

libidn-devel is now required so that systems using the devel subpkg will build correctly. The latest version of curl uses the poll() syscall to get around a previous file descriptor limit.

http://www.linuxsecurity.com/content/view/118128
 
  Fedora Core 3 Update: system-config-printer-0.6.116.1-1
  31st, January, 2005

Bug-fix release.

http://www.linuxsecurity.com/content/view/118132
 
  Fedora Core 3 Update: ruby-1.8.2-1.FC3.1
  31st, January, 2005

Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible.

http://www.linuxsecurity.com/content/view/118133
 
  Fedora Core 3 Update: rhgb-0.16.2-1.FC3
  31st, January, 2005

This update fixes various errors of the form "init: open(/dev/pts/0): No such file or directory".

http://www.linuxsecurity.com/content/view/118134
 
  Fedora Core 3 Update: file-4.12-1.FC3.1
  1st, February, 2005

The file command is used to identify a particular file according to the type of data contained by the file. File can identify many different file types, including ELF binaries, system libraries, RPM packages, and different graphics formats.

http://www.linuxsecurity.com/content/view/118143
 
  Fedora Core 3 Update: net-tools-1.60-37.FC3.1
  1st, February, 2005

The net-tools package contains basic networking tools, including ifconfig, netstat, route, and others.

http://www.linuxsecurity.com/content/view/118144
 
  Fedora Core 3 Update: gimp-2.2.3-0.fc3.2
  1st, February, 2005

The GIMP includes a scripting facility, but many of the included scripts rely on fonts that we cannot distribute. The GIMP FTP site has a package of fonts that you can install by yourself, which includes all the fonts needed to run the included scripts. Some of the fonts have unusual licensing requirements; all the licenses are documented in the package.

http://www.linuxsecurity.com/content/view/118145
 
  Fedora Core 3 Update: system-config-services-0.8.18-0.fc3.1
  1st, February, 2005

system-config-services is a utility which allows you to configure which services should be enabled on your machine.

http://www.linuxsecurity.com/content/view/118146
 
  Fedora Core 2 Update: squid-2.5.STABLE7-1.FC2.1
  1st, February, 2005

Squid consists of a main server program squid, a Domain Name System lookup program (dnsserver), a program for retrieving FTP data (ftpget), and some management and client tools.

http://www.linuxsecurity.com/content/view/118153
 
  Fedora Core 3 Update: squid-2.5.STABLE7-1.FC3.1
  1st, February, 2005

Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests.

http://www.linuxsecurity.com/content/view/118154
 
  Fedora Core 2 Update: dump-0.4b39-1.FC2
  2nd, February, 2005

Updated dump packages contain fixes related to possible data corruption, unintentional writes to target partition and many other bugfixes. The updated dump also contains support for Extended Attributes/Access Control Lists.

http://www.linuxsecurity.com/content/view/118164
 
  Fedora Core 3 Update: dump-0.4b39-1.FC3
  2nd, February, 2005

Updated dump packages contain fixes for unintentional writes to target partition and other bugfixes. The updated dump also contains support for Extended Attributes/Access Control Lists.

http://www.linuxsecurity.com/content/view/118165
 
  Fedora Core 3 Update: mc-4.6.1-0.12.FC3
  2nd, February, 2005

The updated mc package contains the latest release candidate, mc-4.6.1-pre3 and many bugfixes.

http://www.linuxsecurity.com/content/view/118166
 
  Fedora Core 3 Update: selinux-policy-targeted-1.17.30-2.75
  2nd, February, 2005

This package contains the SELinux example policy configuration along with the Flask configuration information and the application configuration files.

http://www.linuxsecurity.com/content/view/118167
 
  Fedora Core 3 Update: policycoreutils-1.18.1-2.6
  2nd, February, 2005

Security-enhanced Linux is a patch of the Linux¨ kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux.

http://www.linuxsecurity.com/content/view/118168
 
  Fedora Core 3 Update: dbus-0.22-10.FC3.2
  2nd, February, 2005

Security fix for Bug#146765 (CAN-2005-0201)

http://www.linuxsecurity.com/content/view/118170
 
  Fedora Core 3 Update: kdepim-3.3.1-1.FC3.1
  3rd, February, 2005

A PIM (Personal Information Manager) for KDE.

http://www.linuxsecurity.com/content/view/118175
 
  Fedora Core 3 Update: xpdf-3.00-10.3
  3rd, February, 2005

Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. Xpdf is a small and efficient program which uses standard X fonts.

http://www.linuxsecurity.com/content/view/118176
 
  Fedora Core 2 Update: kernel-2.6.10-1.12_FC2
  3rd, February, 2005

The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.

http://www.linuxsecurity.com/content/view/118177
 
  Fedora Core 3 Update: kernel-2.6.10-1.760_FC3
  3rd, February, 2005

The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.

http://www.linuxsecurity.com/content/view/118178
 
   Gentoo
  Gentoo: SquirrelMail Multiple vulnerabilities
  28th, January, 2005

SquirrelMail fails to properly sanitize user input, which could lead to arbitrary code execution and compromise webmail accounts.

http://www.linuxsecurity.com/content/view/118103
 
  Gentoo: ngIRCd Buffer overflow
  28th, January, 2005

ngIRCd is vulnerable to a buffer overflow that can be used to crash the daemon and possibly execute arbitrary code.

http://www.linuxsecurity.com/content/view/118110
 
  Gentoo: TikiWiki Arbitrary command execution
  30th, January, 2005

A bug in TikiWiki allows certain users to upload and execute malicious PHP scripts.

http://www.linuxsecurity.com/content/view/118117
 
  Gentoo: VDR Arbitrary file overwriting issue
  30th, January, 2005

VDR insecurely accesses files with elevated privileges, which may result in the overwriting of arbitrary files.

http://www.linuxsecurity.com/content/view/118118
 
  Gentoo: f2c Insecure temporary file creation
  30th, January, 2005

f2c is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files.

http://www.linuxsecurity.com/content/view/118119
 
  Gentoo: ncpfs Multiple vulnerabilities
  30th, January, 2005

The ncpfs utilities contain multiple flaws, potentially resulting in the remote execution of arbitrary code or local file access with elevated privileges.

http://www.linuxsecurity.com/content/view/118120
 
  Gentoo: Gallery Cross-site scripting vulnerability
  30th, January, 2005

Gallery is vulnerable to cross-site scripting attacks.

http://www.linuxsecurity.com/content/view/118121
 
  Gentoo: ClamAV Multiple issues
  31st, January, 2005

ClamAV contains two vulnerabilities that could lead to Denial of Service and evasion of virus scanning.

http://www.linuxsecurity.com/content/view/118130
 
  Gentoo: FireHOL Insecure temporary file creation
  1st, February, 2005

FireHOL is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files.

http://www.linuxsecurity.com/content/view/118150
 
  Gentoo: FireHOL Insecure temporary file creation
  1st, February, 2005

FireHOL is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files.

http://www.linuxsecurity.com/content/view/118151
 
  Gentoo: UW IMAP CRAM-MD5 authentication bypass
  2nd, February, 2005

UW IMAP contains a vulnerability in the code handling CRAM-MD5 authentication allowing authentication bypass.

http://www.linuxsecurity.com/content/view/118157
 
  Gentoo: enscript Multiple vulnerabilities
  2nd, February, 2005

enscript suffers from vulnerabilities and design flaws, potentially resulting in the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118159
 
  Gentoo: Squid Multiple vulnerabilities
  2nd, February, 2005

Squid contains vulnerabilities in the code handling WCCP, HTTP and LDAP which could lead to Denial of Service, access control bypass, web cache and log poisoning.

http://www.linuxsecurity.com/content/view/118169
 
  Gentoo: Newspost Buffer overflow vulnerability
  2nd, February, 2005

A buffer overflow can be exploited to crash Newspost remotely and potentially execute arbitrary code.

http://www.linuxsecurity.com/content/view/118171
 
   Mandrake
  Mandrake: Updated clamav package
  29th, January, 2005

A problem in the initscript prevented clamd from starting properly. These new packages fix that problem.

http://www.linuxsecurity.com/content/view/118116
 
  Mandrake: Updated clamav packages fix
  31st, January, 2005

Two problems were discovered in versions of clamav prior to 0.81. An attacker could evade virus scanning by sending a base64-encoded imaege file in a URL. Also, by sending a specially-crafted ZIP file, an attacker could cause a DoS (Denial of Service) by crashing the clamd daemon.

http://www.linuxsecurity.com/content/view/118136
 
  Mandrake: Updated KDE packages
  31st, January, 2005

A problem with the previous update prevented users from updating kdebase due to a missing file and incomplete rpm header information. The updated kdebase packages fix this problem.

http://www.linuxsecurity.com/content/view/118137
 
  Mandrake: Updated imap packages fix
  2nd, February, 2005

A vulnerability was discovered in the CRAM-MD5 authentication in UW-IMAP where, on the fourth failed authentication attempt, a user would be able to access the IMAP server regardless. This problem exists only if you are using CRAM-MD5 authentication and have an /etc/cram-md5.pwd file. This is not the default setup. The updated packages have been patched to prevent these problems.

http://www.linuxsecurity.com/content/view/118155
 
  Mandrake: Updated chbg packages fix
  2nd, February, 2005

A vulnerability in chbg was discovered by Danny Lungstrom. A maliciously-crafted configuration/scenario file could overflow a buffer leading to the potential execution of arbitrary code. The updated packages are patched to prevent the problem.

http://www.linuxsecurity.com/content/view/118156
 
  Mandrake: Updated vim packages fix
  2nd, February, 2005

Javier Fernandez-Sanguino Pena discovered two vulnerabilities in scripts included with the vim editor. The two scripts, "tcltags" and "vimspell.sh" created temporary files in an insecure manner which could allow a malicious user to execute a symbolic link attack or to create, or overwrite, arbitrary files with the privileges of the user invoking the scripts. The updated packages are patched to prevent this problem.

http://www.linuxsecurity.com/content/view/118172
 
   Red Hat
  RedHat: Updated enscript package fixes security issues
  1st, February, 2005

An updated enscript package that fixes several security issues is now available.

http://www.linuxsecurity.com/content/view/118138
 
  RedHat: Updated CUPS packages fix security issue
  1st, February, 2005

Updated CUPS packages that fixes a security issue are now available.

http://www.linuxsecurity.com/content/view/118139

 
  RedHat: Updated perl-DBI package fixes security issue
  1st, February, 2005

An updated perl-DBI package that fixes a temporary file flaw in DBI::ProxyServer is now available.

http://www.linuxsecurity.com/content/view/118140
 
  RedHat: Updated Ethereal packages fix security issues
  2nd, February, 2005

Updated Ethereal packages that fix various security vulnerabilities are now available.

http://www.linuxsecurity.com/content/view/118158
 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Weekend Edition
Report: U.S. planning “proportional response” to Sony hack, blamed on North Korea
Heartbleed, Shellshock, Tor and more: The 13 biggest security stories of 2014
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.