Putting trojan horse fixes where they belong
Brian Westley
merlyn at ernie.Rosemount.COM
Thu Dec 15 03:46:26 AEST 1988
>>>If you insist on sticking "+set nomodeline" here, rather than in the
>>>user's ".exrc" where it belongs...
>>
>>No, it belongs in any code that puts uncontrolled text into a file
>>and executes a "vi"-like editor. A number of vi's have "modeline"
>>on by default, and many people don't know about it. If Pnews can be
>>made more robust, it should be.
>
>And just how does this protect the superuser who edits /etc/passwd when
>someone's username ends with "ex", etc.?
It doesn't. What does making Pnews more Trojan-proof have to do
with editing /etc/passwd with embedded vi commands?? Nothing.
Besides, your example doesn't fit my description of the basic flaw.
(any code that puts uncontrolled text into a file and executes a
"vi"-like [can execute external commands] editor; /etc/passwd is
not uncontrolled text - I can't write to it. I *can* write news
articles with trojan horses in them, which Pnews will run for me.)
>Pnews is not the only culprit, and you can't catch *all* programs that might
>do it. The proper place to put it is $HOME/.exrc...
This does not fix the problem. This can never fix the problem.
There are many sites that CANNOT put ANYTHING into $HOME/.exrc to turn
this trojan-horse mechanism off.
There are probably some people who use 'set modeline[s]' in their .exrc because
they actually USE this feature, and requiring them to change this, instead
of fixing dangerously naive software, is shortsighted.
New sites come on-line all the time. Some of these will undoubtedly
be vunerable from day one.
Instead of requiring thousands of sites to "fix" their .exrcs so Pnews
can't be used as a vehicle for destructive code, fix Pnews, dammit!
Requiring this hole to be patched by everyone will only guarantee its
existence for as long as this "solution" exists.
>(P.S. And just how does your Pnews fix change what /usr/bin/postnews does?)
It doesn't. Feel free to post corrections to postnews, too.
Just how does *your* Pnews fix, fix Pnews?
Merlyn LeRoy
More information about the Comp.unix.wizards
mailing list