Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 8 Sep 2001 19:07:00 -0700
From:      Kris Kennaway <kris@obsecurity.org>
To:        "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc:        Kris Kennaway <kris@obsecurity.org>, "Todd C. Miller" <Todd.Miller@courtesan.com>, Matt Dillon <dillon@earth.backplane.com>, Jordan Hubbard <jkh@FreeBSD.ORG>, security@FreeBSD.ORG, audit@FreeBSD.ORG
Subject:   Re: Fwd: Multiple vendor 'Taylor UUCP' problems.
Message-ID:  <20010908190700.A5881@xor.obsecurity.org>
In-Reply-To: <20010909055903.A34519@nagual.pp.ru>; from ache@nagual.pp.ru on Sun, Sep 09, 2001 at 05:59:03AM %2B0400
References:  <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010908185415.A5619@xor.obsecurity.org> <20010909055903.A34519@nagual.pp.ru>

next in thread | previous in thread | raw e-mail | index | archive | help

--gKMricLos+KVdGMg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Sep 09, 2001 at 05:59:03AM +0400, Andrey A. Chernov wrote:
> On Sat, Sep 08, 2001 at 18:54:15 -0700, Kris Kennaway wrote:
> >=20
> > Yeah, thats probably a good change to make.  However the uucp
> > vulnerability still lets e.g. arbitrary users read/modify uucp spool
> > data, create files, access the uucp:dialer devices, etc.
>=20
> All you mention is historical old-days uucp subsystem bad 'features', it
> is not fool proff and require ethic behaviour of its users. To eliminate
> this things main uucp developers must be contacted, because this things
> hardly integrated in normal usage flow and can't be deattached easily.
>=20
> I.e. it is not FreeBSD security problem but uucp problem (as designed).
> All we need is to protect uucp binaries from modifications (via schg).

Hmm.  These flaws in the UUCP suite need to be documented, then.

I'm also very uneasy at having a local root exploited foiled only by
the setting of UFS file flags (mostly because of the NFS-mounted /usr
case).

I think it's finally time to make UUCP into a port: I'll work on that
later tonight.

Kris


--gKMricLos+KVdGMg
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7ms7EWry0BWjoQKURAuC3AJ4pcRUxdoH5eLUPbjARvB8kaTJr+wCg1gnG
fbpUR2H4kCFObrb4Am7Nb/M=
=i5+C
-----END PGP SIGNATURE-----

--gKMricLos+KVdGMg--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010908190700.A5881>