Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/17/84; site milo.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!ucbvax!decvax!cwruecmp!milo!acy
From: acy@milo.UUCP (Adnan Yaqub)
Newsgroups: net.micro.att
Subject: Re: pc7300 security
Message-ID: <623@milo.UUCP>
Date: Tue, 20-Aug-85 14:45:55 EDT
Article-I.D.: milo.623
Posted: Tue Aug 20 14:45:55 1985
Date-Received: Sat, 24-Aug-85 03:17:11 EDT
References: <141@gwsd.UUCP> <316@ttrdc.UUCP> <6055@duke.UUCP>
Organization: Allen-Bradley Co., Highland Heights, OH 44143
Lines: 21

> >Note: if you so wish, (and I doubt it) you can change whatever option 
> >is currently on Open (Open=EXEC -?....  to Open=EXEC -dp ....)
> >this opens a UNIX shell with root permissions, # prompt and
> >everything.  How's that for lack of security?
> 
> It's worse than that!  Any user can do this to their own Office file, with
> the same effect.  Thus, the following lines in a user's home directory Office
> file will put a root shell menu item in the Office window:
> 	Name=Root Shell
> 	Default = Run
> 	Run=EXEC -pd $SHELL
> This is documented on page 6 of the UA(4) manual entry.

	I think it is possible to overcome some of the security
problems by removing the set user id bit on $UA/uasetx and
$UA/uasig.  It seems to protect things nicely.  The user agent
does not handle the protection errors very well but it doesn't
seem to do anything too bad and besides, if you don't have the
necessary privileges then you shouldn't be trying it, right?

	Thanks Clive.