Xref: utzoo news.admin:4080 news.sysadmin:1689 comp.mail.uucp:2356
Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!cs.utexas.edu!milano!bigtex!james
From: james@bigtex.cactus.org (James Van Artsdalen)
Newsgroups: news.admin,news.sysadmin,comp.mail.uucp
Subject: Re: Dangerous hole in Usenet!
Keywords: "it's a secret ... but they told me!" -- david dobkin
Message-ID: <11048@bigtex.cactus.org>
Date: 27 Nov 88 02:10:27 GMT
References: <1227@vsi1.UUCP> <117@hudson.Morgan.COM> <800@mailrus.cc.umich.edu> <151@ecicrl.UUCP>
Organization: Institute of Applied Cosmology, Austin TX
Lines: 17

> You know, maybe we should try to invent a new "mailable" archive format
> that isn't compatible with /bin/sh so that people are *never* tempted into
> the trap of using sed..|sh or insecure unshars.

Wonderful.  What a great idea.  Doesn't it seem odd that your goal is
to create an archive layout that nobody can unpack?  How do you ever
expect people to unpack this stuff?  Are *you* going to ensure that
everyone gets a copy of your unpacker, and that vendors all distribute
it?

John Quaterman's uuhosts package works.  It is secure in the sense
that a worm or virus cannot propogate (a worm could consume CPU cycles
or disk space, but that's about it).  Use it.  If anyone has a way of
breaking chroot(2), I'd like to hear about it...
-- 
James R. Van Artsdalen      james@bigtex.cactus.org      "Live Free or Die"
Home: 512-346-2444 Work: 338-8789       9505 Arboretum Blvd Austin TX 78759