SEP sesam security bulletins

From SEPsesam

Jump to: navigation, search

Contents

1 Wrong password check in sm_passd

Wrong password check in sm_passd

Issue date: 2007/24/01

Target platform

All SEPsesam servers and remote device servers on Linux

Description

Because of a wrong password check in sm_passd someone can escape from Sesam work directory with root rights

Howto fix

edit <SESAM_ROOT>/var/ini/stpd.ini
remove root from AUTH_USERS

       [STPD_Thread]
       STPD_BUFSIZE=4
       DATA_TIMEOUT=7200
       AUTH_USERS=sms
       ...

restart sm_passd with sm_main reload passd
This procedure must be performed on all Remote Device Servers, as well.

Retrieved from "http://wiki.sepsoftware.com/wiki/index.php?title=SEP_sesam_security_bulletins&oldid=2186"

Personal tools

Log in

Sesam

Toolbox