Path: utzoo!attcan!uunet!husc6!cmcl2!beta!unm-la!unmvax!turing.UNM.EDU!mike
From: mike@turing.UNM.EDU (Michael I. Bushnell)
Newsgroups: comp.emacs
Subject: Re: Is GNU Cause of Security Problems???
Message-ID: <1052@unmvax.unm.edu>
Date: 13 May 88 07:38:01 GMT
References: <5290@aw.sei.cmu.edu> <4983@bloom-beacon.MIT.EDU> <193@ists> <5263@bloom-beacon.MIT.EDU> <7013@swan.ulowell.edu>
Sender: news@unmvax.unm.edu
Reply-To: mike@turing.UNM.EDU.UUCP (Michael I. Bushnell)
Organization: University of New Mexico, Albuquerque
Lines: 35



The latest issue of CACM clears this whole thing up.  The problem was in
movemail.  From page 489:

	As distributed, the program uses the UNIX Set-User-ID-to_root
feature; that is, a section of the program runs with system-manager
privileges.  This movemail facility allows the user to change file
ownership and move files into another's directory.  Unfortunately, the
program did not prevent someone from moving a file into the systems
area.  Aware of this hole, the intruder created a shell script that, when 
executed at root level, would grant him system privileges.  He used the
movemail facility to rename his script to masquerade as a utility
periodically run by the system.  When the script was executed by the system, 
he gained system-manager privileges.



I hope this clears some of the confusion up.  From the comment in
movemail.c, movemail can use POP to get the mail, and, to do so, 
it must be setuid root.  It is possible that this little used feature
was not extensively debugged, and that on the system in question, the 
POP code was comipiled in and movemail made setuid root.


-- 
                N u m q u a m   G l o r i a   D e o 

			Michael I. Bushnell
			HASA - "A" division
14308 Skyline Rd NE				Computer Science Dept.
Albuquerque, NM  87123		OR		Farris Engineering Ctr.
	OR					University of New Mexico
mike@turing.unm.edu				Albuquerque, NM  87131
{ucbvax,gatech}!unmvax!turing.unm.edu!mike