Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/17/84; site cwruecmp.UUCP
Path: utzoo!linus!philabs!cmcl2!seismo!harvard!talcott!panda!genrad!decvax!cwruecmp!rob
From: rob@cwruecmp.UUCP (rob robertson)
Newsgroups: net.micro.att
Subject: S-bit set on UnixPC mv
Message-ID: <1284@cwruecmp.UUCP>
Date: Fri, 26-Jul-85 15:14:22 EDT
Article-I.D.: cwruecmp.1284
Posted: Fri Jul 26 15:14:22 1985
Date-Received: Sun, 28-Jul-85 08:26:25 EDT
Organization: CWRU Dept. Computer Eng., Cleveland, OH
Lines: 17


A friend of mine noticed this, but the way at&t ships the Unix Pc software,
the set uid bit on /bin/mv is set, and it is owned by root.  He seems to
think that this is a "back door" for the telephone support people, but it's
a giant security breach, especially to those people at&t is trying to market
to, business people who know little or nothing about Unix.

With this, all a user need do is copy the passwd file to their own directory
edit, and remove the passwd field, and then mv it back and then su to root.

To remove this "feature" just chmod -s /bin/mv and it will be taken care of.

william robertson                   usenet:          decvax!cwruecmp!rob
1615 hazel                          arpa:            rob.case@csnet-relay
cleveland, ohio 44106               csnet, bitnet:   rob@case
(216)  791-0922