Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!csd4.milw.wisc.edu!lll-winken!uunet!cbmvax!grr
From: grr@cbmvax.UUCP (George Robbins)
Newsgroups: comp.unix.ultrix
Subject: Ultrix Security Problem
Summary: sad but true...
Message-ID: <7091@cbmvax.UUCP>
Date: 13 Jun 89 00:31:24 GMT
Reply-To: grr@cbmvax.UUCP (George Robbins)
Organization: Commodore Technology, West Chester, PA
Lines: 21

Ultrix 3.0 introduced a new, serious, security hole that allows any
informed user to obtain access to root privileges by typing a single
command line.

Contact with DEC software support determined that they were aware of
the problem and that there was a workaround available.  The support
person was unable to explain why DEC had not notified their customers
of the problem.

I find this very dissapointing, considering that I am paying DEC for
software support and had made a query via DSIN whether there were any
known problems associated with installing Ultrix 3.0.

Please contact DEC software support to obtain the workaround for this
problem, as in most cases, I have no unambiguous way of distinguishing
a concerned administrator from an inquisitive cracker.

-- 
George Robbins - now working for,	uucp: {uunet|pyramid|rutgers}!cbmvax!grr
but no way officially representing	arpa: cbmvax!grr@uunet.uu.net
Commodore, Engineering Department	fone: 215-431-9255 (only by moonlite)