From owner-freebsd-arch  Mon Sep 17 18: 8:23 2001
Delivered-To: freebsd-arch@freebsd.org
Received: from atg.aciworldwide.com (h139-142-180-4.gtcust.grouptelecom.net [139.142.180.4])
	by hub.freebsd.org (Postfix) with ESMTP id 0FD9337B40B
	for <arch@FreeBSD.ORG>; Mon, 17 Sep 2001 18:08:20 -0700 (PDT)
Received: from atg.aciworldwide.com (localhost [127.0.0.1])
	by atg.aciworldwide.com (8.12.0/8.12.0) with ESMTP id f8I18JaX018507;
	Mon, 17 Sep 2001 19:08:19 -0600 (MDT)
Received: from orthanc.ab.ca (uucp@localhost)
	by atg.aciworldwide.com (8.12.0/8.12.0.Beta14) with UUCP id f8I18I1X018506;
	Mon, 17 Sep 2001 19:08:18 -0600 (MDT)
Received: from localhost (localhost [127.0.0.1])
	by orthanc.ab.ca (8.12.0.Beta6/8.11.2) with ESMTP id f8I0Z2U4034342;
	Mon, 17 Sep 2001 18:35:08 -0600 (MDT)
	(envelope-from lyndon@orthanc.ab.ca)
Message-Id: <200109180035.f8I0Z2U4034342@orthanc.ab.ca>
From: Lyndon Nerenberg <lyndon@orthanc.ab.ca>
Organization: The Frobozz Magic Homing Pigeon Company
To: Kris Kennaway <obsecurity.org!kris@orthanc.ab.ca>
Cc: FreeBSD.ORG!arch@orthanc.ab.ca
Subject: Re: Moving UUCP to ports 
In-reply-to: Your message of "Sat, 08 Sep 2001 22:37:23 PDT."
             <20010908223722.A47449@xor.obsecurity.org> 
Date: Mon, 17 Sep 2001 18:35:02 -0600
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-arch.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-arch>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-arch>
X-Loop: FreeBSD.ORG

>>>>> "Kris" == Kris Kennaway <kris@obsecurity.org> writes:

    Kris> I would like to move the UUCP suite from the base system
    Kris> into ports.  The UUCP utilities have a security hole which
    Kris> yields user uucp access, which can currently be leverage to
    Kris> obtain root access by trojaning the uucp binaries.  This
    Kris> security hole is believed to be basically unfixable due to
    Kris> the design of UUCP: we can limit its impact, but not
    Kris> eliminate it for all users.

What's the specific bug here? It's hard to evaluate your request
without knowing the actual problem.

Is this related to setuid binaries? If so, would you consider a
version of UUCP that doesn't require any setuid binaries?

Also, please remember that for those sites relying soley on UUCP for
connectivity, building from ports may not be an (easily available)
option.

--lyndon

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message