More security problems

Fri Dec 30 20:58:55 AEST 1988

In sun-spots a while ago wnl writes:

[[ ...There are two solutions.  The temporary one is to chmod the
current directory to 777 ("chmod 777 ."), do the uudecode, and change the
permissions back.  The permanent one is to simply remove the set-uid bit
from /usr/bin/uudecode (chmod u-s uudecode) since it doesn't really need
it anyway.  --wnl ]]

Actually it isn't a Unix problem, at least I havent't seen uu??code suid
uucp on any other system than Suns.  I don't see a good reason to make
uu??code suid uucp ; now when they are, anyone can write over the L.sys
file or any other file writable by uucp.

However, please DON'T just remove the suid bit.  If it just removed, this
creates an even bigger security problem (at least on some 3.X systems, I
haven't checked 4.0 so carefully since we don't run it yet).  I think that
the hole isn't in 3.5, but that's not because it's fixed but because of
another bug in a legitimate program which makes this other legitimate
program unusable.  Ah well.

First, remove the 'decode' alias from /usr/lib/aliases.  After that,
remove the suid bits from /usr/bin/uuencode and /usr/bin/uudecode.

Another very serious security problem: change rwalld to be executed by
'nobody' or some such user.  In SunOS 4.X this is done by editing
/etc/inetd.conf, in 3.X you should perhaps make a front end to rwall or
just disable it altogether if you don't need it.

I won't go into details with these problems, but with the recent exposed
security holes I feel that it's easier to fix them all at once rather than
wait for a few years and then find out that they're still there.  As
always, when the place of the hole is pointed out it's pretty easy to find
out how it can be used but that's the price it seems like we have to pay.

I think the idea of a security mailing list that was posted to the net a
while ago is great.  It goes something like this: we have a mailing list
with restricted distribution for system administrators and operating
system vendors.  Security problems like the ftpd and sendmail bugs are
first published there, so alert system administrators can fix them at
their systems and operationg system vendors can fix them at their code.
After ie. sixty days the problem is posted to usenet, so then everybody
can fix it even if their operating system vendor does not have adequate
bug-fix-service.

Jyrki Kuoppala    Helsinki University of Technology, Finland. + 358 0 4513233
Internet :        jkp at cs.hut.fi jkp%finhut.bitnet at cunyvm.cuny.edu
BITNET :          jkp at finhut.bitnet        Gravity is a myth, the Earth sucks!