SEP sesam security bulletins
Wrong password check in sm_passd
- Issue date: 2007/24/01
All SEPsesam servers and remote device servers on Linux
Because of a wrong password check in sm_passd someone can escape from Sesam work directory with root rights
- edit <SESAM_ROOT>/var/ini/stpd.ini
- remove root from AUTH_USERS
[STPD_Thread] STPD_BUFSIZE=4 DATA_TIMEOUT=7200 AUTH_USERS=sms ...
- restart sm_passd with sm_main reload passd
- This procedure must be performed on all Remote Device Servers, as well.