From owner-freebsd-arch Mon Sep 17 18:49:16 2001 Delivered-To: freebsd-arch@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id AD0A337B401 for ; Mon, 17 Sep 2001 18:49:09 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id SAA00519; Mon, 17 Sep 2001 18:49:03 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda00517; Mon Sep 17 18:48:54 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id f8I1ms802577; Mon, 17 Sep 2001 18:48:54 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdqw2575; Mon Sep 17 18:48:50 2001 Received: (from smtpd@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id f8I1mYA61148; Mon, 17 Sep 2001 18:48:34 -0700 (PDT) Message-Id: <200109180148.f8I1mYA61148@cwsys.cwsent.com> X-Authentication-Warning: cwsys.cwsent.com: smtpd set sender to using -f Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdk61144; Mon Sep 17 18:48:23 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Joe Abley Cc: lyndon@orthanc.ab.ca, kris@obsecurity.org, arch@FreeBSD.ORG Subject: Re: Moving UUCP to ports In-reply-to: Your message of "Mon, 17 Sep 2001 21:28:23 EDT." <20010917212822.B52922@buffoon.automagic.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 17 Sep 2001 18:48:23 -0700 Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In message <20010917212822.B52922@buffoon.automagic.org>, Joe Abley writes: > [reposted with corrected recipient addresses; bang-paths from an > era long past removed with prejudice] > > On Mon, Sep 17, 2001 at 06:35:02PM -0600, Lyndon Nerenberg wrote: > > >>>>> "Kris" == Kris Kennaway writes: > > > > Kris> I would like to move the UUCP suite from the base system > > Kris> into ports. The UUCP utilities have a security hole which > > Kris> yields user uucp access, which can currently be leverage to > > Kris> obtain root access by trojaning the uucp binaries. This > > Kris> security hole is believed to be basically unfixable due to > > Kris> the design of UUCP: we can limit its impact, but not > > Kris> eliminate it for all users. > > > > What's the specific bug here? It's hard to evaluate your request > > without knowing the actual problem. > > UUCP was just (in the past week or so) removed from OpenBSD-current > and into ports. I don't mean to suggest that anybody here should jump > through hoops just because OpenBSD made a decision to do so; however, > since it's a recent event I thought it might be newsworthy. > > I just saw the CVS log entries pertaining to the deUUCPification. > Tracking down openbsd mailing list traffic on the subject might be > useful. A bug was discovered in Taylor UUCP (the UUCP used by most of the UNIX world) and published on BUGTRAQ that users could execute arbitrary commands as the UUCP user. UUCP was designed for a more time and is probably inappropriate for today's world. Hence it should be moved to ports and installed by only those who need its functionality. In an ideal world it would not even be in ports, however there are applications and people who still use and need UUCP, so moving it to ports is probably the most appropriate thing we can do. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message