Path: utzoo!mnetor!uunet!seismo!sundc!pitstop!sun!decwrl!labrea!csli!evan
From: evan@csli.STANFORD.EDU (Evan Kirshenbaum)
Newsgroups: comp.emacs
Subject: Re: Is GNU Cause of Security Problems???
Message-ID: <3729@csli.STANFORD.EDU>
Date: 3 May 88 05:27:40 GMT
References: <5290@aw.sei.cmu.edu> <220@corona.pb>
Reply-To: evan@csli.UUCP (Evan Kirshenbaum)
Organization: Center for the Study of Language and Information, Stanford U.
Lines: 26

In article <220@corona.pb> michael@pbinfo.UUCP (Michael Schmidt) writes:
>Neulich schrieb dhm@sei.cmu.edu (Daniel Miller):
>  	Once they saw his input, they determined he was using a bug in the
>  	GNU EMACS text editor to establish himself as a system manager by
>  	placing his own programs in the systems area.
>  
gnuemacs (like TECO emacs before it) has at least one interesting
security hole.  I doubt if it's considered proper to post it to the
net, but you might consider the differences between find-file and
insert-file and why you should probably only use the latter if you're
suid root.  (Also if you are writing applications which read files and
which are likely to be run by root.)

It's interesting that this hole is easy to spot if any editor OTHER
than gnuemacs is used (even cat).  As such, it's probably too risky to
break into a system this way.  I've heard that the old ITS
emacs/mailer was susceptible to this, and you could send "letter
bombs" to people who used it.
---
Evan Kirshenbaum
Stanford University
  evan@csli.Stanford.EDU
  ...!ucbvax!csli.stanford.edu!evan

If you think my opinions represent this university, 
you haven't been on campus recently!