From owner-freebsd-audit  Sat Sep  8 17:52:55 2001
Delivered-To: freebsd-audit@freebsd.org
Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42])
	by hub.freebsd.org (Postfix) with ESMTP
	id D1C5437B40B; Sat,  8 Sep 2001 17:52:49 -0700 (PDT)
Received: (from ache@localhost)
	by nagual.pp.ru (8.11.6/8.11.6) id f890qTC33725;
	Sun, 9 Sep 2001 04:52:29 +0400 (MSD)
	(envelope-from ache)
Date: Sun, 9 Sep 2001 04:52:27 +0400
From: "Andrey A. Chernov" <ache@nagual.pp.ru>
To: Kris Kennaway <kris@obsecurity.org>
Cc: Matt Dillon <dillon@earth.backplane.com>,
	Jordan Hubbard <jkh@FreeBSD.ORG>, security@FreeBSD.ORG,
	audit@FreeBSD.ORG
Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems.
Message-ID: <20010909045226.A33654@nagual.pp.ru>
References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010908174304.A88816@xor.obsecurity.org>
User-Agent: Mutt/1.3.21i
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-audit.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-audit>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-audit>
X-Loop: FreeBSD.ORG

On Sat, Sep 08, 2001 at 17:43:04 -0700, Kris Kennaway wrote:
> On Sat, Sep 08, 2001 at 05:02:57PM -0700, Kris Kennaway wrote:
> 
> > Looks like setting the schg flag is the only feasible containment
> > solution for now.
> 
> Here's a proposed fix.  It just disallows anyone other than root from
> specifying an alternate configuration file, for the setuid utilities
> (which was the cause of the vulnerability here, AFAIK).

What you try to fix this way? It brokes normal users dialing to theirs
systems, they always specify their own files. Consider uu* as user level
utilities. The only point of restriction is restrict their access to
dialing devices, not to utulities.

-- 
Andrey A. Chernov
http://ache.pp.ru/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message