Path: utzoo!mnetor!tmsoft!torsqnt!news-server.csri.toronto.edu!cs.utexas.edu!usc!sdd.hp.com!caen!uflorida!novavax!ankh!megasys!pax From: pax@megasys.com (Garry M. Paxinos) Newsgroups: comp.unix.sysv386 Subject: Re: SECURITY BUG IN INTERACTIVE UNIX SYSV386 Message-ID: Date: 15 Feb 91 11:41:34 GMT References: <27b9fc7e.3f86@petunia.CalPoly.EDU> Sender: pax@megasys.COM Organization: Megasystems, Inc. Delray Beach FL Lines: 43 In-reply-to: aschaffe@polyslo.CalPoly.EDU's message of 14 Feb 91 02:57:02 GMT In article <27b9fc7e.3f86@petunia.CalPoly.EDU> aschaffe@polyslo.CalPoly.EDU (JedHead) writes: Huge kudos going out to the person who alerted the net to the Security Hole.. I, too, had some reservations at first about the propriety of releasing that information "to the world", but quickly realized that it was a sure-fire way to get a reaction from the vendors... Agreed!! My hat's off to Joern! A 3-day cycle from the "Hey, ISC!" message to an announcement of a free bug fix is something to be impressed with.. But I do not agree on this... considering the original poster apparently spent 6 months trying to get ISC to do something about this... For referneces, here is the statement in the ISC 2.2 release notes on page 10: ' * A new tunable parameter has been added to prevent users from writing to the ublock of ther own processes. By setting the value of UAREAUS and UAREARW to 0 instead of the default, 1, users can be prevented from changing their effective user identifications (UID). Refer to the "INTERACTIVE UNIX Operating System Maintenance Procedures" for more informa- tion on setting tunable parameters ' Obviously they knew about it in 2.2, and proceded to NOT do anything to fix it when they released the 2.2.1 update. If anything, I am impressed with their sheer stupidity. Gee, I'm really glad it only took them 3 days to admit to a gapping security hole when it was printed in their 2.2 release notes almost a year ago... We have systems Nuclear Power Plants! Besides not wanting the general operations people to have root access, these systems also have modems! Need I say more?! pax. -- E-Mail:pax@megasys.com pax@ankh.ftl.fl.us gmp@pinet.aip.org USNail:Megasystems, Inc. 2055 South Congress Ave, Delray Beach, FL 33445 UUCP :{gatech!uflorida!novavax!ankh, mthvax, shark, attmail}!megasys!pax Voice :407-243-2405 Data: 407-243-2407 Fax: 407-243-2408 Telex: 156281499