/usr/sbin/validate clash with /usr/bin/validate

Paul Wouters pwouters at redhat.com
Wed May 23 18:22:35 UTC 2012


I just got caught in having two different "validate" commands in my
path.

The /usr/bin/validate version is from the dnssec-tools package. It has a
man page and usage info and is a tool to diagnose dnssec lookups.

The /usr/sbin/validate version is from the mod_auth_shadow package. It
has no man page, no usage, no -h or --help. It is executed by the apache
server to read /etc/shadow to do user auth. It is setuid root, and not
meant to be executed by a user.

I suggest moving /usr/sbin/validator into /usr/libexec, and probably
talking to Dan Walsh about using SElinux to further restrict it so it
cannot be executed by users or cgis.

Paul
ps. Jan: I also filed a crypt() NULL bug against mod_auth_shadow a while
ago with a patch.


More information about the devel mailing list