Path: utzoo!attcan!uunet!rosevax!ernie.Rosemount.COM!merlyn From: merlyn@ernie.Rosemount.COM (Brian Westley) Newsgroups: comp.unix.wizards Subject: Putting trojan horse fixes where they belong Message-ID: <6893@rosevax.Rosemount.COM> Date: 14 Dec 88 17:46:26 GMT References: <6798@rosevax.Rosemount.COM> <591@auspex.UUCP> <6811@rosevax.Rosemount.COM> <13253@ncoast.UUCP> Sender: news@rosevax.Rosemount.COM Reply-To: merlyn@ernie.Rosemount.COM (Brian Westley) Organization: Rosemount Inc., Burnsville, MN Lines: 45 >>>If you insist on sticking "+set nomodeline" here, rather than in the >>>user's ".exrc" where it belongs... >> >>No, it belongs in any code that puts uncontrolled text into a file >>and executes a "vi"-like editor. A number of vi's have "modeline" >>on by default, and many people don't know about it. If Pnews can be >>made more robust, it should be. > >And just how does this protect the superuser who edits /etc/passwd when >someone's username ends with "ex", etc.? It doesn't. What does making Pnews more Trojan-proof have to do with editing /etc/passwd with embedded vi commands?? Nothing. Besides, your example doesn't fit my description of the basic flaw. (any code that puts uncontrolled text into a file and executes a "vi"-like [can execute external commands] editor; /etc/passwd is not uncontrolled text - I can't write to it. I *can* write news articles with trojan horses in them, which Pnews will run for me.) >Pnews is not the only culprit, and you can't catch *all* programs that might >do it. The proper place to put it is $HOME/.exrc... This does not fix the problem. This can never fix the problem. There are many sites that CANNOT put ANYTHING into $HOME/.exrc to turn this trojan-horse mechanism off. There are probably some people who use 'set modeline[s]' in their .exrc because they actually USE this feature, and requiring them to change this, instead of fixing dangerously naive software, is shortsighted. New sites come on-line all the time. Some of these will undoubtedly be vunerable from day one. Instead of requiring thousands of sites to "fix" their .exrcs so Pnews can't be used as a vehicle for destructive code, fix Pnews, dammit! Requiring this hole to be patched by everyone will only guarantee its existence for as long as this "solution" exists. >(P.S. And just how does your Pnews fix change what /usr/bin/postnews does?) It doesn't. Feel free to post corrections to postnews, too. Just how does *your* Pnews fix, fix Pnews? Merlyn LeRoy