Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!uwm.edu!zaphod.mps.ohio-state.edu!think!snorkelwacker!bloom-beacon!athena.mit.edu!jik
From: jik@athena.mit.edu (Jonathan I. Kamens)
Newsgroups: comp.mail.sendmail
Subject: Re: uudecode alias
Message-ID: <1990May25.192857.7191@athena.mit.edu>
Date: 25 May 90 19:28:57 GMT
References: <7591@ur-cc.UUCP>
Sender: news@athena.mit.edu (News system)
Reply-To: jik@athena.mit.edu (Jonathan I. Kamens)
Organization: Massachusetts Institute of Technology
Lines: 30

In article <7591@ur-cc.UUCP>, msir@uhura.cc.rochester.edu (Mark Sirota) writes:
|> Most sendmails seem to come with the following line in the aliases database:
|> 	decode: "|/usr/bin/uudecode"
|> 
|> Why?  What purpose does this serve?  It won't work on our system anyway
|> since we don't have uudecode in /usr/bin, so either nobody's complaining or
|> nobody uses it.  My concern is that it needs to be there for some program or
|> something.

  Its alleged "purpose" is to make file transfer between machines
easier.  One machine can send uuencoded mail to "decode" on the other
machine, and have the file automatically uudecoded and installed in the
right place (based on the install filename in the uuencoded file).

|> So what's the net.wisdom on this one?  Kill it?  It seems like it might be
|> a bit of a security hole, too, but I'd rather not go into any more detail
|> than that here.

  Yes, it's a glaring security hole, and vendors which include it in
their standard software distribution should be short, ESPECIALLY if
uudecode is installed setuid, which it is, on some systems.

  For sure, remove it.  For sure, make sure your uudecode isn't setuid. 
If you paid for your sendmail software and that line was in the default
aliases, then flame at your vendor for putting it there.

Jonathan Kamens			              USnail:
MIT Project Athena				11 Ashford Terrace
jik@Athena.MIT.EDU				Allston, MA  02134
Office: 617-253-8495			      Home: 617-782-0710