Path: utzoo!mnetor!uunet!husc6!im4u!tut.cis.ohio-state.edu!bloom-beacon!mgm.mit.edu!wolfgang
From: wolfgang@mgm.mit.edu (Wolfgang Rupprecht)
Newsgroups: comp.emacs
Subject: Re: Is GNU Cause of Security Problems???
Message-ID: <4983@bloom-beacon.MIT.EDU>
Date: 30 Apr 88 01:04:47 GMT
References: <5290@aw.sei.cmu.edu>
Sender: daemon@bloom-beacon.MIT.EDU
Reply-To: wolfgang@mgm.mit.edu (Wolfgang Rupprecht)
Organization: Freelance Software Consultant, Boston, Ma.
Lines: 22

In article <5290@aw.sei.cmu.edu> dhm@sei.cmu.edu (Daniel Miller) writes:
>In the April 29 1988 issue of "Government Computer News" front page
>article titled "European Raids 30 Sensitive Systems", 
>	Once they saw his input, they determined he was using a bug in the
>	GNU EMACS text editor to establish himself as a system manager by
>	placing his own programs in the systems area.

Well, if you are so foolish to install GnuEmacs with permissions of
777 then there is a *very* large security hole. Just hack up your own
GnuEmacs with something like the following trojan code included and
cat it into the executable file. The next time root or someone su-ed
to root edits something <blam> instant trojan shell.

(and (zerop (user-uid)) 
     (call-process "you know what goes here ... ;-)"))

Moral: NEVER NEVER make executables world writable. (And READ those
install scripts before using them!!!!)
---
Wolfgang Rupprecht	ARPA:  wolfgang@mgm.mit.edu (IP 18.82.0.114)
326 Commonwealth Ave.	UUCP:  mit-eddie!mgm.mit.edu!wolfgang
Boston, Ma. 02115	TEL:   (617) 267-4365