Date:  Thu, 30 Jul 2009 14:49:37 -0400
From:  "Darrell D. Mobley" <dmobley (at mark) uhostme.com>
Subject:  [coba-e:15855] Re: [LIKELY_SPAM]Root exploit on Blue Quartz
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <9277B28805F641DA9DE8381463E3DE12@HP9925NR>
In-Reply-To:  <5063E23BA5284228BF129A84B0FEA7AE@HP9925NR>
References:  <E776AF61EE604DC3BC41E9AB2D91AAA2 (at mark) HP9925NR> <200907300403.10254.bq (at mark) solarspeed.net> <00f101ca10c1$5b83fe70$6401a8c0 (at mark) HPPAVILION> <4A713F25.7000801 (at mark) monostar.net> <F8C0A438-9892-4429-BC33-1881AE8444E7 (at mark) scargo.nl> <662D282894D744BB94D0A6B9655C041A (at mark) HP9925NR> <4A71B17E.7090505 (at mark) virtbiz.com> <5063E23BA5284228BF129A84B0FEA7AE (at mark) HP9925NR>
X-Mail-Count: 15855

> -----Original Message-----
> From: Darrell D. Mobley [mailto:dmobley (at mark) uhostme.com]
> Sent: Thursday, July 30, 2009 1:19 PM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:15854] Re: [LIKELY_SPAM]Root exploit on Blue Quartz
> 
> I am thinking about disabling the creation of administrator accounts in
> the GUI.  I see no reason to let something so powerful be live to anyone
> with a web connection.  I can re-enable it when and if I need to create
> such an account.  Maybe set permissions to 000.

I changed the permissions of
/usr/sausalito/ui/web/base/vsite/manageAdmin.php to 000, now when you try to
add a user, it just prints a blank page.  That should stop them from adding
new administrative users.  But if the person knew my password, why didn't
they just log in as "admin" and su to root?  That makes no sense, and it is
possible I have accomplished nothing.