From owner-freebsd-security  Mon Jul 15 00:47:37 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id AAA12122
          for security-outgoing; Mon, 15 Jul 1996 00:47:37 -0700 (PDT)
Received: from critter.tfs.com ([140.145.230.177])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA12108;
          Mon, 15 Jul 1996 00:47:30 -0700 (PDT)
Received: from critter.tfs.com (localhost [127.0.0.1]) by critter.tfs.com (8.7.5/8.7.3) with ESMTP id JAA04916; Mon, 15 Jul 1996 09:46:57 +0200 (MET DST)
To: -Vince- <vince@mercury.gaianet.net>
cc: jbhunt <jbhunt@mercury.gaianet.net>,
        freebsd-security-notification@freebsd.org,
        freebsd-security@freebsd.org, root@mercury.gaianet.net
Subject: Re: New EXPLOIT located! 
In-reply-to: Your message of "Mon, 15 Jul 1996 00:43:05 PDT."
             <Pine.BSF.3.91.960715004202.1637C-100000@mercury.gaianet.net> 
Date: Mon, 15 Jul 1996 09:46:56 +0200
Message-ID: <4914.837416816@critter.tfs.com>
From: Poul-Henning Kamp <phk@freebsd.org>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

>> remove the rdist program from your system, or just remove the setuid
>> bit from it.
>> 
>> Do normal "we've been hacked cleanup".
>
>	While we're at the subject, is there a hole with mount_msdos also 
>because the guy had some text on mount_msdos but I deleted the 
>/sbin/mount_msdos and -current still installs with the setuid bit...

Well, until proven innocent, all setuid programs are suspect.

Make a list of them all, remove setuid on any you don't use.  Consider
carefully the minimum permissions you can get away with on the rest.

--
Poul-Henning Kamp           | phk@FreeBSD.ORG       FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk    Private mailbox.
whois: [PHK]                | phk@ref.tfs.com       TRW Financial Systems, Inc.
Future will arrive by its own means, progress not so.