Way back on May 24, 11:05am, "Sven.Wijk" wrote: > The program doesn't seem to be there in the version we are running (7.0.2). > Downgrading might be an alternative solution. Please correct me if i'm wrong! Downgrading might work, but Arc/Info is so buggy we *need* 7.0.4. I just removed the suid bit from fm_fls; it seems to not have any adverse effects. > A quick search in the ArcInfo directories showed 4 other programs suid to root. > Do we have a potential for problems? Hmm.. -rwsr-sr-x 1 root root 1319912 Jan 21 01:31 ./arcexe70/programs/asmaster -rwsr-sr-x 1 root root 5871192 Jan 21 01:32 ./arcexe70/programs/asrecovery -rwsr-sr-x 1 root root 6059112 Jan 21 01:32 ./arcexe70/programs/asuser -rwsr-sr-x 1 root root 1110856 Jan 21 01:32 ./arcexe70/programs/asutility -rwsr-sr-x 1 root root 3724136 Jan 29 12:00 ./arcexe70/programs/se -rwsr-sr-x 1 root root 24464 Jan 21 01:31 ./arcexe70/programs/wservice -rwsr-sr-x 1 root root 20016 Jan 21 01:20 ./arcexe70/programs/abservice -rwsr-sr-x 1 root root 3200832 Jan 21 01:20 ./arcexe70/programs/asbuil I suppose statistically, there must be at least one security bug in programs this large. Unfortunately (?), all but two of these won't run on our system (we don't have a license for them.) > Our GIS-people earlier looked at ESRI's product ArcStorm. Its client-server > solution is built on: > - a bunch of programs suid to root > - the client must be trusted hosts to the server, by means of the /etc/.rhost > or /etc/host.equiv file. > This made me very uneasy, and i finaly managed to get them to drop their > ArcStorm-dreams, and to search for some more security minded solution. > It seems that security isn't a high priority issue for ESRI's developers. Nor is bug-free code, but this isn't alt.esri.bash.bash.bash .. James -- James W. Abendschan Email: jwa@nbs.nau.edu UNIX Systems Programmer/Administrator Phone: (520) 556-7466 x238 Colorado Plateau Research Station, Flagstaff, AZ Voice mail: *516