From owner-freebsd-stable  Sat Oct  7 21: 5:23 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from isr5981.urh.uiuc.edu (isr5981.urh.uiuc.edu [130.126.211.213])
	by hub.freebsd.org (Postfix) with SMTP id 115FB37B502
	for <stable@FreeBSD.ORG>; Sat,  7 Oct 2000 21:05:21 -0700 (PDT)
Received: (qmail 17482 invoked by uid 1000); 8 Oct 2000 04:05:21 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 8 Oct 2000 04:05:21 -0000
Date: Sat, 7 Oct 2000 23:05:21 -0500 (CDT)
From: Frank Tobin <ftobin@uiuc.edu>
X-Sender: ftobin@localhost
To: FreeBSD-Stable <stable@FreeBSD.ORG>
Subject: Re: Security problem with "script"? 
In-Reply-To: <200010072350.RAA00780@harmony.village.org>
Message-ID: <Pine.BSF.4.21.0010072304100.17477-100000@localhost>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Warner Losh, at 17:50 -0600 on Sat, 7 Oct 2000, wrote:

> Yes.  That's the logical conclusion if you give someone shell access,
> or access to any program that can fork a shell.  "TOYOTA: You asked
> for it, you got it."

Along the same lines, don't give a user sudo access to just run "xemacs",
unless you want them playing Tetris as root.  Oh, wait...that's not the
worst thing they can do :)

-- 
Frank Tobin		http://www.uiuc.edu/~ftobin/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message