Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!umix!b-tech!zeeff
From: zeeff@b-tech.ann-arbor.mi.us (Jon Zeeff)
Newsgroups: news.sysadmin
Subject: Re: who, me?
Message-ID: <4942@b-tech.ann-arbor.mi.us>
Date: 20 Nov 88 21:32:16 GMT
References: <622@ccncsu.ColoState.EDU> <797@mailrus.cc.umich.edu>
Reply-To: zeeff@b-tech.ann-arbor.mi.us (Jon Zeeff)
Organization: Branch Technology Ann Arbor, MI
Lines: 20

In article <797@mailrus.cc.umich.edu> honey@citi.umich.edu (peter honeyman) writes:
>
>create /usr/spool/uucppublic/hdbworm as follows:

As this points out, uucp may :-) have bugs.  And as things are 
normally set up, breaking uucp breaks many things since many users 
indirectly run /usr/bin/uux which is owned by uucp (maybe even root as 
he sends mail to join a security list).  What ever happened to the 
idea that breaking xxx doesn't allow you to break anything else?  How 
about making /usr/bin/uux a simple suid root program that does a 
setuid(UUCPUID) and execs the real uux?  

It's not just suid programs that are problems, it's anything that 
someone might run (directly or indirectly).  


-- 
Jon Zeeff      		  		A month ago I modified broke into
umix!b-tech!zeeff		        your system and modified your kernel.
zeeff@b-tech.ann-arbor.mi.us		Have you proved me wrong?