Path: utzoo!mnetor!uunet!husc6!yale!cmcl2!nrl-cmf!mailrus!ames!umd5!purdue!gatech!psuvax1!burdvax!sdcrdcf!trwrb!felix!ccicpg!arnold!hodge!rusty
From: rusty@hodge.UUCP (Rusty Hodge)
Newsgroups: comp.sys.att
Subject: Re: Major security problem in the UA: looking for a real fix
Message-ID: <114@hodge.UUCP>
Date: 9 Feb 88 18:53:39 GMT
References: <1023@woton.UUCP> <2017@bsu-cs.UUCP> <118@bergy.UUCP>
Organization: Hodge Computer Research Corp., Orange, CA
Lines: 15
Keywords: UNIX PC, UA, security hole
Summary: Security Problems with the User Agent


The most deadly UA hole is the Administration file in the /u/install area.
Out of the box (at least mine and several others), this file is read for
everyone.  Simply copy it into your area, run the UA and presto you can
change the root password.

The simple fix for this is to chmod o-r Administration.  However, this
will not keep experienced UA types from creating their own UA entries that
have the same sort of command scripts that the Administration file does.

Let's face it: the UA is *evil*.  Get rid of it.  Hide it in a nested directory
and take away its execute privledges.  Make it go away.

Root will still be able to get to most of those nifty UA-run programs for
screen-oriented system administration. :->