Newsgroups: comp.sys.3b1
Path: utzoo!utgpu!news-server.csri.toronto.edu!torsqnt!geac!sq!chance!john
From: john@chance.UUCP (John R. MacMillan)
Subject: Re: 3b1 security and removal of ua
Message-ID: <1991Apr12.052548.21075@chance.UUCP>
Keywords: ua security
Organization: Haphazard
References: <375@unx-pc.UUCP> <927@jonlab.UUCP>
Date: Fri, 12 Apr 1991 05:25:48 GMT

|There is a function in the TAM library, eprintf(3T), that is used to
|print error messages.  It is how the ! and !! icons get on the first
|line of your screen.  Also, the calendar icon if you are using the
|pcal program.
|
|I believe eprintf writes to /dev/error, which is read by smgr.
|
|It all seems pretty innocuous, display an icon, print a message when
|a user clicks on the icon.  No danger there.
|
|EXCEPT, one of the arguments to eprintf(3T) is what to do when the
|user clicks on the icon.  And one of the possibilities is ST_EXEC;
|execute a program!!!
|
|Guess which user id, and in which directory the program is executed;
|
|You security hounds are right: by root and in the root directory.

Tom Kelly <tom@ancilla> pointed this out at one time.  I think he also
ST_LOG was a problem, since you can use it to write any file (eg.
/etc/passwd), as root.

Very scary, and just another reason to not run smgr.  (I don't; I use
mgr.)

|So, essentially, anyone with access to your C compiler has access to
|your entire machine!

Who needs a C compiler?  Try:

echo ":D:E::/usr/bin/id\c" > /dev/error

|Sleep comfortably last night?

I slept just fine...