Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!yale!mintaka!bloom-beacon!eru!luth!sunic!mcsun!tuvie!mike
From: mike@tuvie (Inst.f.Techn.Informatik)
Newsgroups: comp.sys.apollo
Subject: Re: Patches and security
Message-ID: <1692@tuvie>
Date: 21 Jul 90 11:17:51 GMT
References: <1469@m1.cs.man.ac.uk> <1491@m1.cs.man.ac.uk>
Organization: Technical University of Vienna, AUSTRIA
Lines: 37

In article <1491@m1.cs.man.ac.uk>, dente@craven.ee.man.ac.uk (Colin Dente) writes:
|> In article <7871@jarthur.Claremont.EDU> jonathan@jarthur.Claremont.EDU (Jonathan Ball) writes about Jim Rees writing about what I said in the first place:
|> 
|> When I saw the nature of the patch, I thought 'Great - that solves the
|> problem entirely' - more fool me!  As Jim so rightly points out, all
|> the patch does is change a single program that doesn't run suid or
|> anything fancy.  The *REAL* security hole is the fact that a simple
|> user-mode program could, *and still can* create an suid root file when
|> run as a normal user.  Let's face it, when you consider the nature of
|> this bug - 10.2 CAN NEVER BE EVEN SLIGHTLY SECURE.  Give me access to
|> any machine, and the ability to load at most two files on, and I can
|> become root by typing a single command.  This is no exaggeration.
|> Even sites which have installed patch 121 are not immune from the
|> effects of this hole (they simply require me to load two files instead
|> of one).
|> 
|> If this bug has not been fixed in SR10.3, then I can see no way of
|> justifying its release.  Fixing this bug should be made the highest
|> possible priority if you wish to have any pretensions towards being a
|> supplier of professional computer equipment.

Well, I fear the day people find out the syscalls necessary to do this 
breach! In the maentime I think sysadmins should note that they should 
*REMOVE* THE OLD COPY OF THE PROGRAM! It is probably still in your authorized 
area ind /install/ri.apollo.os.v.10.2/ - and you know the rest of the 
patch. This will still allow anybody with access to a cartridge tape, 
a disk, email, the keyboard or just about anything else allow to intrude -
but not quite as easily! 

			bye,
				mike
       ____  ____
      /   / / / /   Michael K. Gschwind             mike@vlsivie.at
     /   / / / /    Technical University, Vienna    mike@vlsivie.uucp
     ---/           Voice: (++43).1.58801 8144      e182202@awituw01.bitnet
       /            Fax:   (++43).1.569697
   ___/