Xref: utzoo unix-pc.general:333 comp.sys.att:2474
Path: utzoo!utgpu!water!watmath!clyde!mtune!bakerst!cgh!manta!brant
From: brant@manta.UUCP (Brant Cheikes)
Newsgroups: unix-pc.general,comp.sys.att
Subject: Re: Major security problem in the UA: looking for a real fix
Keywords: UNIX PC, UA, security hole
Message-ID: <338@manta.UUCP>
Date: 13 Feb 88 19:35:23 GMT
References: <1023@woton.UUCP> <2017@bsu-cs.UUCP> <118@bergy.UUCP> <114@hodge.UUCP>
Reply-To: brant@manta.UUCP (Brant Cheikes)
Organization: Soul of the Gnu Machine, Philadelphia
Lines: 20

In article <114@hodge.UUCP> rusty@hodge.UUCP (Rusty Hodge) writes:
>Let's face it: the UA is *evil*.  Get rid of it.  Hide it in a nested
>directory and take away its execute privledges.  Make it go away.

For those who don't need to give ua access to "non-trusted" users, the
simplest solution seems to be:

	1. Create a new group in /etc/group, say "guest".
	2. Put all non-trusted users in the guest group (all "trusted"
	   users remain in the "users" group)
	3. chgrp users /usr/bin/ua
	4. chmod o-rwx /usr/bin/ua

Now, only the superuser and members of the "users" group can execute
the user agent.
-- 
Brant Cheikes
University of Pennsylvania
Department of Computer and Information Science
ARPA: brant@linc.cis.upenn.edu, UUCP: ...drexel!manta!brant