Path: utzoo!utgpu!watmath!clyde!att!pacbell!ames!ncar!mailrus!cornell!uw-beaver!rice!sun-spots-request From: jkp%cs.hut.fi@cunyvm.cuny.edu (Jyrki Kuoppala) Newsgroups: comp.sys.sun Subject: More security problems Message-ID: <8812181640.AA00434@cs.hut.fi> Date: 30 Dec 88 10:58:55 GMT Sender: usenet@rice.edu Organization: NSSDC GSFC Greenbelt, Md Lines: 47 Approved: Sun-Spots@rice.edu Original-Date: Sun, 18 Dec 88 18:40:53 +0200 X-Sun-Spots-Digest: Volume 7, Issue 80, message 11 of 12 In sun-spots a while ago wnl writes: [[ ...There are two solutions. The temporary one is to chmod the current directory to 777 ("chmod 777 ."), do the uudecode, and change the permissions back. The permanent one is to simply remove the set-uid bit from /usr/bin/uudecode (chmod u-s uudecode) since it doesn't really need it anyway. --wnl ]] Actually it isn't a Unix problem, at least I havent't seen uu??code suid uucp on any other system than Suns. I don't see a good reason to make uu??code suid uucp ; now when they are, anyone can write over the L.sys file or any other file writable by uucp. However, please DON'T just remove the suid bit. If it just removed, this creates an even bigger security problem (at least on some 3.X systems, I haven't checked 4.0 so carefully since we don't run it yet). I think that the hole isn't in 3.5, but that's not because it's fixed but because of another bug in a legitimate program which makes this other legitimate program unusable. Ah well. First, remove the 'decode' alias from /usr/lib/aliases. After that, remove the suid bits from /usr/bin/uuencode and /usr/bin/uudecode. Another very serious security problem: change rwalld to be executed by 'nobody' or some such user. In SunOS 4.X this is done by editing /etc/inetd.conf, in 3.X you should perhaps make a front end to rwall or just disable it altogether if you don't need it. I won't go into details with these problems, but with the recent exposed security holes I feel that it's easier to fix them all at once rather than wait for a few years and then find out that they're still there. As always, when the place of the hole is pointed out it's pretty easy to find out how it can be used but that's the price it seems like we have to pay. I think the idea of a security mailing list that was posted to the net a while ago is great. It goes something like this: we have a mailing list with restricted distribution for system administrators and operating system vendors. Security problems like the ftpd and sendmail bugs are first published there, so alert system administrators can fix them at their systems and operationg system vendors can fix them at their code. After ie. sixty days the problem is posted to usenet, so then everybody can fix it even if their operating system vendor does not have adequate bug-fix-service. Jyrki Kuoppala Helsinki University of Technology, Finland. + 358 0 4513233 Internet : jkp@cs.hut.fi jkp%finhut.bitnet@cunyvm.cuny.edu BITNET : jkp@finhut.bitnet Gravity is a myth, the Earth sucks!