Path: utzoo!attcan!uunet!tut.cis.ohio-state.edu!pt.cs.cmu.edu!zog.cs.cmu.edu!tgl
From: tgl@zog.cs.cmu.edu (Tom Lane)
Newsgroups: comp.sys.hp
Subject: HPUX 7.0 cu(1) complaints
Message-ID: <8809@pt.cs.cmu.edu>
Date: 10 Apr 90 18:33:17 GMT
Organization: Carnegie-Mellon University, CS/RI
Lines: 21

I've run into a couple of problems using cu(1) under HPUX 7.0.

First, cu seems to flush all its environment variables except
PATH and LANG.  According to the System Security manual this is
now done by all standard setuid-root programs.  The trouble with
cu doing it is that subprocesses spawned with ~! or ~& don't get
any of the rest of the user's environment.  This is a REAL serious
problem for some cu scripts that I have.  Does anyone have a workaround?

Second, cu creates a lock file in /usr/spool/uucp while it is setuid
root, but then it reverts to the caller's uid.  When it quits it is
not able to remove the lock file unless /usr/spool/uucp is world-writable.
Making it so seems a security hole to me; aren't there a lot of other
files kept in that directory?

-- 
				tom lane
Internet: tgl@cs.cmu.edu
UUCP: <your favorite internet/arpanet gateway>!cs.cmu.edu!tgl
BITNET: tgl%cs.cmu.edu@cmuccvma
CompuServe: >internet:tgl@cs.cmu.edu