Xref: utzoo news.admin:4085 news.sysadmin:1694
Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!gatech!mcnc!ece-csc!ncrcae!ncrlnk!uunet!mcvax!unido!iaoobelix!woerz
From: woerz@iaoobelix.UUCP (Dieter Woerz)
Newsgroups: news.admin,news.sysadmin
Subject: Re: Some worms reflexions
Message-ID: <258@iaoobelix.UUCP>
Date: 26 Nov 88 14:15:16 GMT
References: <361@itivax.UUCP> <367@execu.UUCP> <1294@tmpmbx.UUCP> <746@mannix.iros1.UUCP> <177@heart-of-gold>
Reply-To: woerz@iaoobelix.UUCP (Dieter Woerz)
Followup-To: news.sysadmin
Organization: Fraunhofer Institut fuer Arbeitswirtschaft und Organisation
Lines: 27

In article <177@heart-of-gold> jc@heart-of-gold (John M Chambers) writes:
> ...
>The problem really wasn't that sendmail included a remote-debug facility;
>I'd compliment its designers/installers for that.  The problem was that
>this debug facility included a remote-execute "feature".  Considering
>that sendmail is, in effect, a command interpreter (i.e., "shell") that
>runs as root, doesn't always require a password, and is accessible from
>the entire internet, such a shell escape seems a bit unwise.  But a debug
>facility doesn't necessarily require such a powerful feature.
> ...

What I'd like to know is, what was this "feature" supposed to be used
for, as you can't use this feature without the debug option enables.
So you can't use the "shell escape" within normal operation, why was
it included in the debug operation?

------------------------------------------------------------------------------

Dieter Woerz
Fraunhofer Institut fuer Arbeitswirtschaft und Organisation
Abt. 453
Holzgartenstrasse 17
D-7000 Stuttgart 1
W-Germany

BITNET: iaoobel.uucp!woerz@unido.bitnet
UUCP:   ...{uunet!unido, pyramid}!iaoobel!woerz