Path: utzoo!attcan!uunet!samsung!zaphod.mps.ohio-state.edu!sol.ctr.columbia.edu!cica!iuvax!ux1.cso.uiuc.edu!ux1.cso.uiuc.edu!m.cs.uiuc.edu!carroll
From: carroll@m.cs.uiuc.edu
Newsgroups: comp.unix.questions
Subject: Re: How secure is UNIX? (Re: Stupid man
Message-ID: <9000033@m.cs.uiuc.edu>
Date: 6 Jun 90 00:31:00 GMT
References: <100928@<1990May23>
Lines: 34
Nf-ID: #R:<1990May23:100928:m.cs.uiuc.edu:9000033:000:1814
Nf-From: m.cs.uiuc.edu!carroll    Jun  5 19:31:00 1990


/* Written 11:22 am  May 28, 1990 by dce@smsc.sony.com in m.cs.uiuc.edu:comp.unix.questions */
In article <1990May28.102235.10021@agate.berkeley.edu> dankg@ocf.Berkeley.EDU (Dan Kogai) writes:
>In article <9000030@m.cs.uiuc.edu> carroll@m.cs.uiuc.edu writes:
>>in it. Does FTP check for .netrc specially? If not, then this seems to
>>claim that you ftp'd the .netrc and it was that copy that was used,
>>not your 600 .netrc.
>
>	It might be system dependent but ALL ftp I know refuses to use
>.netrc with wrong mode.

Hold on, Dan.  I think that carrol@m.cs.uiuc.edu is asking "when going
a get or a put, does ftp check for .netrc specially".  That is, is it
possible that you did a get/put of everything in a directory, and
that your .netrc got copied to a new place without being protected?
/* End of text from m.cs.uiuc.edu:comp.unix.questions */
Yes, this is what I meant. The scenario I envisioned was,
1. A tar is done on "." or using find, such that the .files are included,
   including the .netrc.
2. The tar file is ftp'd somewhere else, with permissions such that
   another user can get the file (normally or through ftp).
3. This other user then untars the file, and the .netrc, still with 600
   permissions, is also untarred, but _owned by the other user_, because
   that's what tar does (on BSD - on SysV, you have to go to the trouble
   of using the -o flag).
4. Other user then picks the password out of the file.

I can't see how ftp could possibly prevent this from happening, and I strongly
suspect that something very similar to this took place.

Alan M. Carroll                Barbara/Marilyn in '92 :
carroll@cs.uiuc.edu            + This time, why not choose the better halves?
Epoch Development Team         
CS Grad / U of Ill @ Urbana    ...{ucbvax,pur-ee,convex}!cs.uiuc.edu!carroll