Path: utzoo!utgpu!attcan!uunet!husc6!rice!sun-spots-request
From: srs!matt@uhura.cc.rochester.edu
Newsgroups: comp.sys.sun
Subject: Re: uudecode Problem
Message-ID: <8812141605.AA04380@jason.srs.com>
Date: 30 Dec 88 05:17:22 GMT
Sender: usenet@rice.edu
Organization: STC Technology Limited, London Road, Harlow, Essex, UK
Lines: 22
Approved: Sun-Spots@rice.edu
Original-Date: Wed, 14 Dec 88 11:05:39 EST
X-Sun-Spots-Digest: Volume 7, Issue 79, message 5 of 11
X-Issue-Reference: v7n53

Although uudecode doesn't really "need" the SUID bit to be set (and the
file owned by uucp -- which it seems is a security problem in itself),
there is a problem with what Sun used to (and probably still does)
distribute as the default /usr/lib/aliases file.  Within it, there is an
alias:

	decode: "|/usr/bin/uudecode"

Since "decode" gets called as "daemon", this poses yet another security
threat.

I wanted to test the above theory, but try as I might, I couldn't get
sendmail to accept an address in the aliases file with a '|' in it.  I
kept getting the message "User unknown" (this is opposed to the "normal"
message you get when mailing to an invalid user of: "name... User
unknown").  Perhaps Sun has disallowed mailing to programs?  I don't think
so, but then again, I can't seem to get it to work either.  This is under
SunOS 3.2...

-----
- uucp:		{rutgers,ames}!rochester!srs!matt	Matt Goheen
- internet:	matt@srs.uucp OR matt%srs.uucp@harvard.harvard.edu