Path: utzoo!mnetor!uunet!husc6!think!ames!pasteur!ucbvax!decvax!mandrill!hal!ncoast!allbery
From: allbery@ncoast.UUCP (Brandon Allbery)
Newsgroups: comp.bugs.sys5
Subject: Re: A security hole
Message-ID: <7583@ncoast.UUCP>
Date: 3 Apr 88 18:54:55 GMT
References: <181@wsccs.UUCP> <722@rivm05.UUCP> <478@minya.UUCP> <7521@ncoast.UUCP> <130@heart-of-gold>
Reply-To: allbery@ncoast.UUCP (Brandon Allbery)
Followup-To: comp.bugs.sys5
Organization: Cleveland Public Access UN*X, Cleveland, Oh
Lines: 28

As quoted from <130@heart-of-gold> by jc@heart-of-gold (John M Chambers x7780 1E342):
+---------------
| In article <7521@ncoast.UUCP>, allbery@ncoast.UUCP (Brandon Allbery) writes:
| > If I wasn't *real* careful with the (setuid) program which grabs incoming
| > sources.misc submissions, someone could gain write access to any of my files.
| > Such as my .login.  This isn't a potential security hole?  (The alternative
| > is to make a certain directory world-writeable; not a sound idea in this case.)
| 
| OK, I'll bite.  Here are the permissions on my home directory and .login: 
| 
| drwxrwxr-x 21 jc       wheel        2560 Mar 24 08:30 .
| -rw-r--r--  2 jc       wheel         250 Jan 29 14:53 .login
| 
| And here's the rnews command:
| 
| 22531 -rwsr-sr-x 2 news news 114688 Mar 17 13:33 /news/bin/rnews   
| 
| Explain to me how someone could use this setuid-news, setgid-news program
| to write into my .login file.  Now need to explain further; I do appreciate
+---------------

-rwsr-xr-x   1 allbery  System     56462 Mar 20 16:33 /u/allbery/bin/stash

Recall that moderated submissions are *mailed* to the moderator, not posted.
And, of course, I should hope that I own my home directory and .login.
-- 
	      Brandon S. Allbery, moderator of comp.sources.misc
       {well!hoptoad,uunet!hnsurg3,cbosgd,sun!mandrill}!ncoast!allbery