From owner-freebsd-arch  Mon Sep 17 18:28:26 2001
Delivered-To: freebsd-arch@freebsd.org
Received: from buffoon.automagic.org (buffoon.automagic.org [208.185.30.208])
	by hub.freebsd.org (Postfix) with SMTP id E638937B410
	for <arch@FreeBSD.ORG>; Mon, 17 Sep 2001 18:28:23 -0700 (PDT)
Received: (qmail 74815 invoked by uid 1000); 18 Sep 2001 01:28:23 -0000
Date: Mon, 17 Sep 2001 21:28:23 -0400
From: Joe Abley <jabley@automagic.org>
To: lyndon@orthanc.ab.ca
Cc: kris@obsecurity.org, arch@FreeBSD.ORG
Subject: Re: Moving UUCP to ports
Message-ID: <20010917212822.B52922@buffoon.automagic.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200109180035.f8I0Z2U4034342@orthanc.ab.ca>
User-Agent: Mutt/1.3.22.1i
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-arch.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-arch>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-arch>
X-Loop: FreeBSD.ORG

[reposted with corrected recipient addresses; bang-paths from an
era long past removed with prejudice]

On Mon, Sep 17, 2001 at 06:35:02PM -0600, Lyndon Nerenberg wrote:
> >>>>> "Kris" == Kris Kennaway <kris@obsecurity.org> writes:
> 
>     Kris> I would like to move the UUCP suite from the base system
>     Kris> into ports.  The UUCP utilities have a security hole which
>     Kris> yields user uucp access, which can currently be leverage to
>     Kris> obtain root access by trojaning the uucp binaries.  This
>     Kris> security hole is believed to be basically unfixable due to
>     Kris> the design of UUCP: we can limit its impact, but not
>     Kris> eliminate it for all users.
> 
> What's the specific bug here? It's hard to evaluate your request
> without knowing the actual problem.

UUCP was just (in the past week or so) removed from OpenBSD-current
and into ports. I don't mean to suggest that anybody here should jump
through hoops just because OpenBSD made a decision to do so; however,
since it's a recent event I thought it might be newsworthy.

I just saw the CVS log entries pertaining to the deUUCPification.
Tracking down openbsd mailing list traffic on the subject might be
useful.


Joe


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message