unshar business

Sat Dec 24 04:14:36 AEST 1988

In article <167 at ecicrl.UUCP> clewis at ecicrl.UUCP (Chris Lewis) writes:
| In article <397 at eda.com> jim at eda.com (Jim Budler) writes:
| >[...]
| >| >I may modify the source to disallow any '/'.
| 
| >First, you totally ignored the statement above.
| 
| First, you said "may".  That also means "may not".

OK

| >Second, though partially my fault since I failed to mention I run here
| >program under chroot(2). So there is no od(1), and no mail(1), and now
| >there is not even a sed(1) available.
| 
| Thus, you're inventing excuses after the fact.

No I was not *inventing* anything.

| Your approach requires that something (mapsh if you are using uuhosts) has
| to be setuid root so that chroot can be used.  A lot of SA's out there
| won't run setuid root programs if they can possibly help it.

That's is their problem. A setuid program for which I have the source
seems relatively safe.

| With Jef Poskanzer simple suggestions, Cathy's program wouldn't have to use 
| chroot.  What's wrong with that?  Why did you react to a very constructive
| posting from Jef with a flame?  Is it that you are simply a twit?

You call this constructive?

| >| >In article <7876 at well.UUCP> Jef Poskanzer <jef at rtsg.ee.lbl.gov> writes:
| >| >| Well, I have looked at Cathy's program, all 93 lines of it, and unless
| >| >| I'm reading it wrong she wasn't paying much attention either.....

At this point in time my memory is that in addition to the *constructive*
comments above he mentioned using uns to unpack something into /etc/passwd.
To which I replied that news was not allowed to write to /etc/passwd, and
that I might disallow '/'. Your analysis of this statement is above.

The other *constructive* comment was something like:
	and the program uses gets().

Now *if* people have been watching news for a while, and if they
have caught the articles in question that statement might be
amplified in there mind into a documentary on the security aspects
of using gets() instead of fgets().

| 
| >	1) Someone supplied some source code, presented as a possible
| >	solution to a problem.
| 
| For which I applaud her attempt.  Not your flames in retaliation for
| a couple of simple suggestions by Jef.

I don't and didn't feel that Jef's comments were constructive. I'll
agree they were simple.

| 
| >	3) You supplied neither a better solution, nor helped to
| >	fix it in any positive way ( or did I miss your posting of
| >	the traditional Usenet source code assistance, a diff).
| 
| Yes I did.  Ever since I got involved in this discussion I have been
| telling everyone to use uuhosts or something similar.  Cathy's program
| enhanced with Jef's suggestions is even better - because you *don't*
| need chroot and because you *don't* have to setuid root.

I've been running uuhosts as long as I've been on the net (this job)
and started using it when it first came out, (previous job). Wasn't that
your suggestion? uuhosts is better that cron running sh on the maps.
But it isn't perfect.

| >Cathy's program, slightly modified, wrapped within an edit of 
| >Mr. Quartermain's uuhosts script and mapsh program, increased 
| >the security of unpacking the maps.
| 
| Which is dumb.  If you've using mapsh why in the hell do you need Cathy's
| program?  mapsh is a setuid root chroot'd shar.  Which is probably safe
| (but undesirable).

Which is not dumb. First mapsh is not a shar. It is just 
(cd $maps; chroot; sh). uuhosts pipes particular commands to it.
As was pointed out in these discussions, chroot() does
not prevent damage by using up the inodes.

|                     What would be even better is to remove mapsh and 
| replace it completely with Cathy's program.

Probably, when I get the time to finish disallowing '/', and replacing
gets() with fgets(). At that time I'll probably eliminate uuhosts
entirely for unpacking maps, gut it and retain its other useful map display
and indexing features.

| 
| >What did your postings really contribute? 
| 
| Regarding postings (plural): 

Make up your mind. Either Jef suggested fixes to the program, or there
is no bug. It can't be both. My request for patch input was a statement
about Jef's statements about Cathy's program. Was he making constructive
criticism or rude remarks. I felt he was making rude remarks, and hence
my posting.

| 
|     - There are already several packages available that unpack maps safely.  
|       THEREFORE we didn't need to post any of them.
| 
|     - All we've been trying to do is hit SA's over the head hard enough
|       for them to pay attention and plug their own bloody holes with
|       software that ALREADY EXISTS.
|     
| Because Larry and I made fools of ourselves, Cathy wrote her program.  
| Many other people wrote similar programs.  Many other people thought
| that their pet unshars were safe.  Most of them were wrong and found out.  
| And in the end:
| 

So what are you crying about? I posted about what I felt was Jef's
unhelpful attitude. You jumped on me, I responded. Classic Usenet
tradition. 

| 	    MANY SA'S PLUGGED THE HOLE!!!!!
| 
| Which is exactly what we were intending!  Cosmic wow!  And I helped!  
| Take a bow Chris and Larry!  And all of us (except possibly you) 
| learned something in the process!

Congratulations! Does that make you feel better? Some of us, including me
learned from Cathy. Some of us, including me were made aware by Jef
of two holes in Cathy's program. But Jef was not truely constructive in
the manner in which he presented these holes.

Oh, calling me a liar again. And obviously didn't know what I was doing?
Where did you get that from? There is nothing *wrong* about what I am
doing. Overkill, is probably the most descriptive word. But wrong?

| 
| >And no I haven't finished my mods to the program, yet, so I know
| >it isn't perfect yet, and given your response to less than perfection
| >I may never post it, 
| 
| Which is no great loss considering how well you understand uuhosts and
| what mapsh does.

Thanks, I needed that. How do you know what I know about uuhosts? Oh,
that's right, I forgot, I lied about using it. And you obviously know
all about it. Quoting you:

| program?  mapsh is a setuid root chroot'd shar.  Which is probably safe

| 
| >but instead sit here more secure, in the grand
| >tradition of all those who sat back and said "I've known about that
| >hole for years." Why post source, I'll just get flames from the
| >perfect people out there. <----- *more sarcasm*
| 				 [gosh, I'd never have noticed!]
| 				 [  ^ this is sarcasm too! ]
| 
| Nah, you couldn't be referring to me.  I post source.
| 

That's nice, so do I.

| >Like I said lighten up.
| 
| Interesting.  You say that in almost all of your postings.  Most of
| which are rabid flames in response to what appear to be relatively mild
| comments or suggestions.  Have you some sort of psychological problem?
| 

I doubt that you see most of my postings. I didn't feel that Jef's
statements were relatively mild comments or suggestions. I didn't
feel his suggestions were clear. And they were presented very
poorly.

| In contrast, I only flame twits.  <-------- *personal insult*
| 				      [ ^ *more sarcasm* ]

Try sending a few to yourself then. I felt, and I feel that Jef did
a very great disservice to a new source poster. In the process the
two suggestions hidden within his posting may assist the Usenet.
But he could have done the same service to Usenet in a manner which
did not put down the efforts of another. But maybe that is too
much to ask. 

| -- 
| Chris Lewis, Markham, Ontario, Canada

Call me a twit if you like. The world around has an opinion of
all the players in this small drama. They undoubtedly have made
up their mind about Jim Budler, Chris Lewis, and Jef Poskanzer.

I can live with you opinion of me, and I'm sure you can live with my
opinion of you. And we probably will never know the opinions of
the great majority.

Merry Christmas.

jim
-- 
Jim Budler   address = uucp: ...!{decwrl,uunet}!eda!jim OR domain: jim at eda.com
#define disclaimer	"I do not speak for my employer"
Notice: I record license plate numbers of tailgaters