Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!utgpu!water!watmath!clyde!rutgers!ucla-cs!zen!ucbvax!germany.CSNET!DIEHL%iravcl
From: DIEHL%iravcl@germany.CSNET.UUCP
Newsgroups: comp.os.vms
Subject: installed images and security  (resent)
Message-ID: <8708280950.AA25855@ucbvax.Berkeley.EDU>
Date: Thu, 27-Aug-87 16:10:00 EDT
Article-I.D.: ucbvax.8708280950.AA25855
Posted: Thu Aug 27 16:10:00 1987
Date-Received: Sat, 29-Aug-87 16:39:37 EDT
Sender: daemon@ucbvax.BERKELEY.EDU
Distribution: world
Organization: The ARPA Internet
Lines: 26

[ I sent this message to info-vax about 2 weeks ago. As it never found its
  way back to germany I assume it got lost like other messages sent by one
  of my collegues.

  here it is again:
]

Some time ago we installed the FINGER program. We did not 
see any security problem in installing FINGER with SYSPRV 
privilege, because the only files FINGER accessed were 
SYSUAF.DAT (to get the last-login date) and FINGER.PLN in a 
user's home-directory. After looking into the sources we 
were sure that there was no way to abuse the SYSPRV 
privilege.

Now I know that I was wrong:
    Using FINGER there *is* a way to read *any* protected 
    file, if  the directory containing that file allows at
    least EXECUTE-access. (The reason is one of the various 
    SET FILE ... commands)

--> DO NOT INSTALL ANY PROGRAM THAT READS USERFILES USING 
    SYSPRV PRIVILEGE UNLESS YOU ARE *VERY* SURE THAT IT IS
    SECURE!!!

Arno Diehl, University of Karlsruhe, West Germany