Date: Mon, 17 Sep 2001 18:35:02 -0600 From: Lyndon Nerenberg <lyndon@orthanc.ab.ca> To: Kris Kennaway <obsecurity.org!kris@orthanc.ab.ca> Cc: FreeBSD.ORG!arch@orthanc.ab.ca Subject: Re: Moving UUCP to ports Message-ID: <200109180035.f8I0Z2U4034342@orthanc.ab.ca> In-Reply-To: Your message of "Sat, 08 Sep 2001 22:37:23 PDT." <20010908223722.A47449@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "Kris" == Kris Kennaway <kris@obsecurity.org> writes:
Kris> I would like to move the UUCP suite from the base system
Kris> into ports. The UUCP utilities have a security hole which
Kris> yields user uucp access, which can currently be leverage to
Kris> obtain root access by trojaning the uucp binaries. This
Kris> security hole is believed to be basically unfixable due to
Kris> the design of UUCP: we can limit its impact, but not
Kris> eliminate it for all users.
What's the specific bug here? It's hard to evaluate your request
without knowing the actual problem.
Is this related to setuid binaries? If so, would you consider a
version of UUCP that doesn't require any setuid binaries?
Also, please remember that for those sites relying soley on UUCP for
connectivity, building from ports may not be an (easily available)
option.
--lyndon
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109180035.f8I0Z2U4034342>