From owner-freebsd-audit  Sat Sep  8 18:21:46 2001
Delivered-To: freebsd-audit@freebsd.org
Received: from xerxes.courtesan.com (millert-gw.cs.colorado.edu [128.138.198.97])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9F9DA37B401; Sat,  8 Sep 2001 18:21:41 -0700 (PDT)
Received: from xerxes.courtesan.com (millert@localhost)
	by xerxes.courtesan.com (8.11.6/8.11.4) with ESMTP id f891KvM14677;
	Sat, 8 Sep 2001 19:20:57 -0600 (MDT)
Message-Id: <200109090120.f891KvM14677@xerxes.courtesan.com>
To: Kris Kennaway <kris@obsecurity.org>
Cc: "Andrey A. Chernov" <ache@nagual.pp.ru>,
	Matt Dillon <dillon@earth.backplane.com>,
	Jordan Hubbard <jkh@FreeBSD.ORG>, security@FreeBSD.ORG,
	audit@FreeBSD.ORG
Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. 
In-reply-to: Your message of "Sat, 08 Sep 2001 18:08:48 PDT."
             <20010908180848.A94567@xor.obsecurity.org> 
References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> 
Date: Sat, 08 Sep 2001 19:20:56 -0600
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-audit.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-audit>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-audit>
X-Loop: FreeBSD.ORG

In message <20010908180848.A94567@xor.obsecurity.org>
	so spake Kris Kennaway (kris):

> The vulnerability involves uucp being made to run arbitrary commands
> as the uucp user through specifying a custom configuration file - see
> bugtraq.  There may be other problems resulting from user-specified
> configuration files.  I don't have time to go through the code and fix
> up the revocation of privileges right now..in the meantime, this
> prevents the root exploit where a user replaces a uucp-owned binary
> like uustat, which is called daily by /etc/periodic.

Is there really any reason to run uustat as root?  Why not just run
it as user uucp via su?  For that matter, running non-root owned
executables from daily seems like a really bad idea.

 - todd

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message