Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!samsung!uunet!mcsun!hp4nl!htsa!maestro!jand
From: jand@maestro.htsa.aha.nl (Jan Derriks)
Newsgroups: comp.sys.hp
Subject: UUCP security hole or feature ?
Keywords: setuid uucp security
Message-ID: <2764@maestro.htsa.aha.nl>
Date: 26 Feb 91 10:14:54 GMT
Sender: bin@htsa.htsa.aha.nl
Organization: AHA-TMF (Technical Institute), Amsterdam, The Netherlands
Lines: 32


DISCLAIMER: I have contacted the CRC about this. The response was very
	    'tame' (dull, not really interested). The question I got
	    was: does the manual page say this should *not* be the case ?
	    I assume it's a local security problem but would like to
	    know what to do about it (other than 'rm /usr/bin/uucp').
	    
BUG: uucp retains setuid bits when a (local) copy of a file is done.
     the new file is owned by uucp.

Reproduce by:   $ echo '#!/usr/bin/id' >foobar
		$ chmod 6555 foobar
		$ uucp foobar test  (test is owned by uucp with suid ?)
		$ ./test
		(effective id becomes uucp if filesystem allows it)

The manual page says the mode of the copied file should become 0666.
Can anyone tell me why on our HP9000/835 HPUX 7.0 system it doesnt ?
(btw, it is not a 'secure' system).

[do a 'chmod go-rwx /usr/bin/uucp' if you are afraid of bad guys running
 around as uucp. But don't worry, it's still a long way from being root ]


Jan Derriks.

Flames will be used to heaten our office and will be accepted gratefully
during winter times.
-- 

A chubby man with a white beard and a red suit will approach you soon.
Avoid him.  He's a Commie.


Brought to you by Super Global Mega Corp .com