Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!utgpu!water!watmath!clyde!rutgers!sri-spam!ames!sdcsvax!ucbvax!germany.CSNET!DIEHL%iravcl
From: DIEHL%iravcl@germany.CSNET.UUCP
Newsgroups: comp.os.vms
Subject: RE: installed images and security
Message-ID: <8708311409.AA22373@ucbvax.Berkeley.EDU>
Date: Mon, 31-Aug-87 05:47:00 EDT
Article-I.D.: ucbvax.8708311409.AA22373
Posted: Mon Aug 31 05:47:00 1987
Date-Received: Tue, 1-Sep-87 04:47:53 EDT
Sender: usenet@ucbvax.BERKELEY.EDU
Distribution: world
Organization: The ARPA Internet
Lines: 21

Hallo out there!

Tony Li writes in response to my message:
    
> Would you consider posting either a patch or a workaround please?
> Telling us that there is a bug without a diagnosis and patch begs to
> have some hacker discover and abuse it.

When I discovered that "feature" in FINGER (and obviously in any other program
reading user files with SYSPRV enabled), I did not know any workaround 
exept eliminating SYSPRV. On the other hand I did not want to wait until WE
have a patch or workaround; I just wanted to tell the system-managers to be
careful when installing programs with privileges.

Instead of being publicly more explicit on the way how to abuse FINGER, I told
Richard Garland (one of the devellopers of FINGER) what the problem is exactly.
I hope that there will be a secure version of FINGER quite soon.

Arno Diehl, University of Karlsruhe, West Germany

PS: I'm not fond of installing patches coming over the net...