unshar business

Thu Dec 22 16:41:45 AEST 1988

In article <397 at eda.com> jim at eda.com (Jim Budler) writes:
>In article <164 at ecicrl.UUCP> clewis at ecicrl.UUCP (Chris Lewis) writes:
>| In article <395 at eda.com> jim at eda.com (Jim Budler) writes:
>| >In article <7876 at well.UUCP> Jef Poskanzer <jef at rtsg.ee.lbl.gov> writes:
>| >| Well, I have looked at Cathy's program, all 93 lines of it, and unless
>| >| I'm reading it wrong she wasn't paying much attention either.....
>[...]
>| >I may modify the source to disallow any '/'.

>First, you totally ignored the statement above.

First, you said "may".  That also means "may not".

>| How about placing the following into "../../../rnews"?  

>| 	for i in /bin/*
>| 	do
>| 		od $i | mail root
>| 	done

>Second, though partially my fault since I failed to mention I run here
>program under chroot(2). So there is no od(1), and no mail(1), and now
>there is not even a sed(1) available.

Second, you left out one line of your article that *you* wrote (just
before the "may" line):

>Currently the damage is limited to the news heirarchy, plus the news library.

That is, you're implying that it is *is* possible to damage the news
heirarchy, which rnews is a part of.  I can only comment on the code as
presented.  AND, more importantly, noone else running Cathy's program knows
that you're using chroot either - so *they* are insecure.  

Thus, you're inventing excuses after the fact.

Your approach requires that something (mapsh if you are using uuhosts) has
to be setuid root so that chroot can be used.  A lot of SA's out there
won't run setuid root programs if they can possibly help it.

With Jef Poskanzer simple suggestions, Cathy's program wouldn't have to use 
chroot.  What's wrong with that?  Why did you react to a very constructive
posting from Jef with a flame?  Is it that you are simply a twit?

>Now, I'll get down to what I really feel about this whole subject:

>	1) Someone supplied some source code, presented as a possible
>	solution to a problem.

For which I applaud her attempt.  Not your flames in retaliation for
a couple of simple suggestions by Jef.

>	3) You supplied neither a better solution, nor helped to
>	fix it in any positive way ( or did I miss your posting of
>	the traditional Usenet source code assistance, a diff).

Yes I did.  Ever since I got involved in this discussion I have been
telling everyone to use uuhosts or something similar.  Cathy's program
enhanced with Jef's suggestions is even better - because you *don't*
need chroot and because you *don't* have to setuid root.

>Cathy's program, slightly modified, wrapped within an edit of 
>Mr. Quartermain's uuhosts script and mapsh program, increased 
>the security of unpacking the maps.

Which is dumb.  If you've using mapsh why in the hell do you need Cathy's
program?  mapsh is a setuid root chroot'd shar.  Which is probably safe
(but undesirable).  What would be even better is to remove mapsh and 
replace it completely with Cathy's program.

>What did your postings really contribute? 

Regarding postings (plural): 

Lots.  Since Larry Blair and I made asses of ourselves about this
issue, people actually *DID* something about it.  I've been telling
people about this hole on and off for about three years.  What good
did it do?  Not much.  Publishing holes in the net is frowned upon, some
people are dense about blunt hints, and other people say "it couldn't
happen to me".  

In light of the Internet Worm, I was actually composing an article 
to completely reveal this hole along with the *strong* suggestion that
they install uuhosts ASAP.  Then Larry Blair beat me to it.

Jim, read my lips:

    - There is no bug.  THEREFORE patch input is useless.  There's nothing
      to patch.

    - There are already several packages available that unpack maps safely.  
      THEREFORE we didn't need to post any of them.

    - All we've been trying to do is hit SA's over the head hard enough
      for them to pay attention and plug their own bloody holes with
      software that ALREADY EXISTS.

Because Larry and I made fools of ourselves, Cathy wrote her program.  
Many other people wrote similar programs.  Many other people thought
that their pet unshars were safe.  Most of them were wrong and found out.  
And in the end:

	    MANY SA'S PLUGGED THE HOLE!!!!!

Which is exactly what we were intending!  Cosmic wow!  And I helped!  
Take a bow Chris and Larry!  And all of us (except possibly you) 
learned something in the process!

regarding "posting" singular:

Because you obviously didn't know what you were doing.  And are inventing
excuses post-facto.

>And no I haven't finished my mods to the program, yet, so I know
>it isn't perfect yet, and given your response to less than perfection
>I may never post it, 

Which is no great loss considering how well you understand uuhosts and
what mapsh does.

>but instead sit here more secure, in the grand
>tradition of all those who sat back and said "I've known about that
>hole for years." Why post source, I'll just get flames from the
>perfect people out there. <----- *more sarcasm*
				 [gosh, I'd never have noticed!]
				 [  ^ this is sarcasm too! ]

Nah, you couldn't be referring to me.  I post source.

>Like I said lighten up.

Interesting.  You say that in almost all of your postings.  Most of
which are rabid flames in response to what appear to be relatively mild
comments or suggestions.  Have you some sort of psychological problem?

In contrast, I only flame twits.  <-------- *personal insult*
				      [ ^ *more sarcasm* ]
-- 
Chris Lewis, Markham, Ontario, Canada
{uunet!attcan,utgpu,yunexus,utzoo}!lsuc!ecicrl!clewis
Ferret Mailing list: ...!lsuc!gate!eci386!ferret-request
(or lsuc!gate!eci386!clewis or lsuc!clewis)