Re: a question about BTS severities
On Tue, Sep 28, 1999 at 12:01:16PM +1000, Herbert Xu wrote:
> On Mon, Sep 27, 1999 at 05:30:51PM -0700, Joey Hess wrote:
> > >
> > > Actually, it should be critical if it's a root exploit. Grave only includes
> > > those that only comprise the user's account.
> >
> > Last I checked, root is a user. This is not a formal definition we're
> > working from, please use common sense. (Note: grave is a _higher_ priotity
> > than critical. Note also: root exploits tend to turn into user account
> > exploits as soon as the attacker wants them to.)
>
> Root may be a user, but he is a special one at that :) root has privileges
> that no other users have. If a user account was compromised, the attacker
> is only able to perform tasks that user was allowed to, however, if the
> root account is compromised, then that implies the compromise of all user
> accounts on that machine, and things like using privileged ports, or
> doing port IO, etc.
I think that any user account exploit is critical -> maybe it's a sudoers,
not. However, grave is for exploit such as external access to private file
without however giving login access to the machine.
>
> Also, AFAIK, critical is listed above grave (and important and others) in
> all the relevant docos that I've seen.
That's what I read also.
> --
> Debian GNU/Linux 2.1 is out! ( http://www.debian.org/ )
> Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
>
--
------------------------------------------------------------------------
Fabien Ninoles Chevalier servant de la Dame Catherine des Rosiers
aka Corbeau aka le Veneur Gris Debian GNU/Linux maintainer
E-mail: fab@tzone.org
WebPage: http://www.tzone.org/~fabien
RSA PGP KEY [E3723845]: 1C C1 4F A6 EE E5 4D 99 4F 80 2D 2D 1F 85 C1 70
------------------------------------------------------------------------
Reply to: