Path: utzoo!mnetor!tmsoft!torsqnt!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!uunet!mcsun!ukc!stl!robobar!ronald
From: ronald@robobar.co.uk (Ronald S H Khoo)
Newsgroups: comp.unix.questions
Subject: Re: What's so special about uudecode?
Summary: chmod ug-s /usr/bin/uudecode *now*
Message-ID: <1990Dec29.142017.15454@robobar.co.uk>
Date: 29 Dec 90 14:20:17 GMT
References: <3317@mrsvr.UUCP>
Organization: Robobar Ltd., Perivale, Middx., ENGLAND.
Lines: 21

krieg@titan.med.ge.com (Andrew Krieg) writes:

> uudecode has some special characteristics at my site.
> If you try to run it, say in your home directory, you
> get the error:
> 
> filename: Permission denied

Ha!  I think your vendor has made the *dreadful* error of making
uudecode setuid to uucp "for the convenience of decoding received uucp
files".  I have seen systems where this is a horrible security hole in
that uudecode will allow anyone to make a setuid-to-uucp shell (begin 4755
sh) and so gain access to L.sys and the passwords therein (especially
nasty if L.sys contains passwords to expensive PDN network gateways).

I would encourage you to tell your system administrator to remove the
setuid bit on uudecode (chmod ug-s /usr/bin/uudecode) and shout at your
vendor.  It's this sort of thing that gives UNIX system security a bad
name.
-- 
ronald@robobar.co.uk +44 81 991 1142 (O) +44 71 229 7741 (H)