Date: Sat, 08 Sep 2001 19:20:56 -0600 From: "Todd C. Miller" <Todd.Miller@courtesan.com> To: Kris Kennaway <kris@obsecurity.org> Cc: "Andrey A. Chernov" <ache@nagual.pp.ru>, Matt Dillon <dillon@earth.backplane.com>, Jordan Hubbard <jkh@FreeBSD.ORG>, security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <200109090120.f891KvM14677@xerxes.courtesan.com> In-Reply-To: Your message of "Sat, 08 Sep 2001 18:08:48 PDT." <20010908180848.A94567@xor.obsecurity.org> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20010908180848.A94567@xor.obsecurity.org> so spake Kris Kennaway (kris): > The vulnerability involves uucp being made to run arbitrary commands > as the uucp user through specifying a custom configuration file - see > bugtraq. There may be other problems resulting from user-specified > configuration files. I don't have time to go through the code and fix > up the revocation of privileges right now..in the meantime, this > prevents the root exploit where a user replaces a uucp-owned binary > like uustat, which is called daily by /etc/periodic. Is there really any reason to run uustat as root? Why not just run it as user uucp via su? For that matter, running non-root owned executables from daily seems like a really bad idea. - todd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109090120.f891KvM14677>