From owner-freebsd-audit  Sat Sep  8 18:53:45 2001
Delivered-To: freebsd-audit@freebsd.org
Received: from xerxes.courtesan.com (millert-gw.cs.colorado.edu [128.138.198.97])
	by hub.freebsd.org (Postfix) with ESMTP
	id 29D4937B40D; Sat,  8 Sep 2001 18:53:40 -0700 (PDT)
Received: from xerxes.courtesan.com (millert@localhost)
	by xerxes.courtesan.com (8.11.6/8.11.4) with ESMTP id f891r4p01038;
	Sat, 8 Sep 2001 19:53:04 -0600 (MDT)
Message-Id: <200109090153.f891r4p01038@xerxes.courtesan.com>
To: Kris Kennaway <kris@obsecurity.org>
Cc: "Andrey A. Chernov" <ache@nagual.pp.ru>,
	Matt Dillon <dillon@earth.backplane.com>,
	Jordan Hubbard <jkh@FreeBSD.ORG>, security@FreeBSD.ORG,
	audit@FreeBSD.ORG
Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. 
In-reply-to: Your message of "Sat, 08 Sep 2001 18:08:48 PDT."
             <20010908180848.A94567@xor.obsecurity.org> 
References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> 
Date: Sat, 08 Sep 2001 19:53:03 -0600
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-audit.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-audit>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-audit>
X-Loop: FreeBSD.ORG

In message <20010908180848.A94567@xor.obsecurity.org>
	so spake Kris Kennaway (kris):

> The vulnerability involves uucp being made to run arbitrary commands
> as the uucp user through specifying a custom configuration file - see
> bugtraq.  There may be other problems resulting from user-specified
> configuration files.  I don't have time to go through the code and fix
> up the revocation of privileges right now..in the meantime, this
> prevents the root exploit where a user replaces a uucp-owned binary
> like uustat, which is called daily by /etc/periodic.

It's not clear how you would fix revocation of privileges on this
since, correctly if I'm wrong, when uucp is run via uux both
real and effective uids are set to uucp.

As such it is not immediately obvious to me how to really make uucp
safe while still allowing user configs but I'm not a UUCP guy :-)

 - todd

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message