Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 (Tek) 9/28/84 based on 9/17/84; site motel6.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!mhuxr!mhuxt!houxm!mtuxo!mtunh!mtung!mtunf!ariel!vax135!cornell!uw-beaver!tektronix!reed!motel6!keith
From: keith@motel6.UUCP (Keith Packard)
Newsgroups: net.bugs.uucp
Subject: Re: Read permission on /etc/phones
Message-ID: <170@motel6.UUCP>
Date: Wed, 3-Jul-85 00:13:56 EDT
Article-I.D.: motel6.170
Posted: Wed Jul  3 00:13:56 1985
Date-Received: Fri, 28-Jun-85 01:33:06 EDT
References: <472@qantel.UUCP>
Reply-To: keith@motel6.UUCP (Keith Packard)
Organization: 5440 SE 41st, Portland, OR
Lines: 34

In article <472@qantel.UUCP> stv@qantel.UUCP (Steve Vance@ex2499) writes:
>This has probably been asked before, but I don't remember seeing it.  We
>have 4.2BSD unix, which has a file /etc/remote which can contain the
>names of systems people can "tip" to.  You can say "pn=@" for an entry,
>which allows you to put the phone number in a file called /etc/phones,
>presumably so that you can chmod it to 400 so that only uucp can read
>it--comperable to L.sys.  You want to keep the phone numbers of other
>systems a secret, at least I do.  However, unless the permissions on
>/etc/phones are 444, tip can't read the file, even if tip is suid to
>uucp.  Is this the way it should be, or is there a patch to tip, or am I
>missing something?  Why have /etc/phones, if you can't keep the numbers
>secret?
>-- 
>
>Steve Vance
>{dual,hplabs,intelca,nsc,proper}!qantel!stv
>dual!qantel!stv@berkeley
>Qantel Corporation, Hayward, CA

The problem with tip is that, after locking the modem port, it
setuid's back to the original invoker's uid/gid.  This is
supposed to patch the security hole surrounding shell escapes
and file transfers.  Fine but; alas; it doesn't read /etc/phones
until it has forked and setuid'ed so, unless the file is
444 or better, it can't read it.  I can't think of a simple solution
to this, it has to read the phones file first and save the information
until it needs it.

Keith Packard

...!tektronix!azure!motel6!keith
...!tektronix!reed!motel6!keith
...!tektronix!azure!keithp
Tektronix