Xref: utzoo comp.unix.wizards:13639 news.admin:4341 news.sysadmin:1987 Path: utzoo!attcan!lsuc!ecicrl!clewis From: clewis@ecicrl.UUCP (Chris Lewis) Newsgroups: comp.unix.wizards,news.admin,news.sysadmin Subject: Re: unshar business Message-ID: <167@ecicrl.UUCP> Date: 22 Dec 88 06:41:45 GMT References: <232@logicon.arpa> <7876@well.UUCP> <395@eda.com> <164@ecicrl.UUCP> <397@eda.com> Reply-To: clewis@ecicrl.UUCP (Chris Lewis) Organization: Elegant Communications Inc. (CRL Division) Lines: 142 In article <397@eda.com> jim@eda.com (Jim Budler) writes: >In article <164@ecicrl.UUCP> clewis@ecicrl.UUCP (Chris Lewis) writes: >| In article <395@eda.com> jim@eda.com (Jim Budler) writes: >| >In article <7876@well.UUCP> Jef Poskanzer writes: >| >| Well, I have looked at Cathy's program, all 93 lines of it, and unless >| >| I'm reading it wrong she wasn't paying much attention either..... >[...] >| >I may modify the source to disallow any '/'. >First, you totally ignored the statement above. First, you said "may". That also means "may not". >| How about placing the following into "../../../rnews"? >| for i in /bin/* >| do >| od $i | mail root >| done >Second, though partially my fault since I failed to mention I run here >program under chroot(2). So there is no od(1), and no mail(1), and now >there is not even a sed(1) available. Second, you left out one line of your article that *you* wrote (just before the "may" line): >Currently the damage is limited to the news heirarchy, plus the news library. That is, you're implying that it is *is* possible to damage the news heirarchy, which rnews is a part of. I can only comment on the code as presented. AND, more importantly, noone else running Cathy's program knows that you're using chroot either - so *they* are insecure. Thus, you're inventing excuses after the fact. Your approach requires that something (mapsh if you are using uuhosts) has to be setuid root so that chroot can be used. A lot of SA's out there won't run setuid root programs if they can possibly help it. With Jef Poskanzer simple suggestions, Cathy's program wouldn't have to use chroot. What's wrong with that? Why did you react to a very constructive posting from Jef with a flame? Is it that you are simply a twit? >Now, I'll get down to what I really feel about this whole subject: > 1) Someone supplied some source code, presented as a possible > solution to a problem. For which I applaud her attempt. Not your flames in retaliation for a couple of simple suggestions by Jef. > 3) You supplied neither a better solution, nor helped to > fix it in any positive way ( or did I miss your posting of > the traditional Usenet source code assistance, a diff). Yes I did. Ever since I got involved in this discussion I have been telling everyone to use uuhosts or something similar. Cathy's program enhanced with Jef's suggestions is even better - because you *don't* need chroot and because you *don't* have to setuid root. >Cathy's program, slightly modified, wrapped within an edit of >Mr. Quartermain's uuhosts script and mapsh program, increased >the security of unpacking the maps. Which is dumb. If you've using mapsh why in the hell do you need Cathy's program? mapsh is a setuid root chroot'd shar. Which is probably safe (but undesirable). What would be even better is to remove mapsh and replace it completely with Cathy's program. >What did your postings really contribute? Regarding postings (plural): Lots. Since Larry Blair and I made asses of ourselves about this issue, people actually *DID* something about it. I've been telling people about this hole on and off for about three years. What good did it do? Not much. Publishing holes in the net is frowned upon, some people are dense about blunt hints, and other people say "it couldn't happen to me". In light of the Internet Worm, I was actually composing an article to completely reveal this hole along with the *strong* suggestion that they install uuhosts ASAP. Then Larry Blair beat me to it. Jim, read my lips: - There is no bug. THEREFORE patch input is useless. There's nothing to patch. - There are already several packages available that unpack maps safely. THEREFORE we didn't need to post any of them. - All we've been trying to do is hit SA's over the head hard enough for them to pay attention and plug their own bloody holes with software that ALREADY EXISTS. Because Larry and I made fools of ourselves, Cathy wrote her program. Many other people wrote similar programs. Many other people thought that their pet unshars were safe. Most of them were wrong and found out. And in the end: MANY SA'S PLUGGED THE HOLE!!!!! Which is exactly what we were intending! Cosmic wow! And I helped! Take a bow Chris and Larry! And all of us (except possibly you) learned something in the process! regarding "posting" singular: Because you obviously didn't know what you were doing. And are inventing excuses post-facto. >And no I haven't finished my mods to the program, yet, so I know >it isn't perfect yet, and given your response to less than perfection >I may never post it, Which is no great loss considering how well you understand uuhosts and what mapsh does. >but instead sit here more secure, in the grand >tradition of all those who sat back and said "I've known about that >hole for years." Why post source, I'll just get flames from the >perfect people out there. <----- *more sarcasm* [gosh, I'd never have noticed!] [ ^ this is sarcasm too! ] Nah, you couldn't be referring to me. I post source. >Like I said lighten up. Interesting. You say that in almost all of your postings. Most of which are rabid flames in response to what appear to be relatively mild comments or suggestions. Have you some sort of psychological problem? In contrast, I only flame twits. <-------- *personal insult* [ ^ *more sarcasm* ] -- Chris Lewis, Markham, Ontario, Canada {uunet!attcan,utgpu,yunexus,utzoo}!lsuc!ecicrl!clewis Ferret Mailing list: ...!lsuc!gate!eci386!ferret-request (or lsuc!gate!eci386!clewis or lsuc!clewis)