From owner-freebsd-security  Sat Sep  8 19: 0:37 2001
Delivered-To: freebsd-security@freebsd.org
Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2238437B40A; Sat,  8 Sep 2001 19:00:29 -0700 (PDT)
Received: (from ache@localhost)
	by nagual.pp.ru (8.11.6/8.11.6) id f891x4C34643;
	Sun, 9 Sep 2001 05:59:04 +0400 (MSD)
	(envelope-from ache)
Date: Sun, 9 Sep 2001 05:59:03 +0400
From: "Andrey A. Chernov" <ache@nagual.pp.ru>
To: Kris Kennaway <kris@obsecurity.org>
Cc: "Todd C. Miller" <Todd.Miller@courtesan.com>,
	Matt Dillon <dillon@earth.backplane.com>,
	Jordan Hubbard <jkh@FreeBSD.ORG>, security@FreeBSD.ORG,
	audit@FreeBSD.ORG
Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems.
Message-ID: <20010909055903.A34519@nagual.pp.ru>
References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010908185415.A5619@xor.obsecurity.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="OXfL5xGRrasGEqWY"
Content-Disposition: inline
In-Reply-To: <20010908185415.A5619@xor.obsecurity.org>
User-Agent: Mutt/1.3.21i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--OXfL5xGRrasGEqWY
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Sep 08, 2001 at 18:54:15 -0700, Kris Kennaway wrote:
>=20
> Yeah, thats probably a good change to make.  However the uucp
> vulnerability still lets e.g. arbitrary users read/modify uucp spool
> data, create files, access the uucp:dialer devices, etc.

All you mention is historical old-days uucp subsystem bad 'features', it
is not fool proff and require ethic behaviour of its users. To eliminate
this things main uucp developers must be contacted, because this things
hardly integrated in normal usage flow and can't be deattached easily.

I.e. it is not FreeBSD security problem but uucp problem (as designed).
All we need is to protect uucp binaries from modifications (via schg).

--=20
Andrey A. Chernov
http://ache.pp.ru/

--OXfL5xGRrasGEqWY
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia

iQCVAwUBO5rM5+JgpPLZnQjrAQGk7wP+O8XJJZhw/le2xxseELLWnHhRO6clY+o4
+36koQrNRLqq0b0dGOXTu4ARDVC+jCu5qPDH0y1lN58AwJm8Ltp57dR1sShac6sN
jbjhAYF7ntRhJXccOSVzRel9v0lueUTNhIcSl+gnSNyPeRi6Mnxlec7S+SPemtaq
0UA4YnSLDSw=
=S0J6
-----END PGP SIGNATURE-----

--OXfL5xGRrasGEqWY--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message