Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.1 6/24/83; site duke.UUCP
Path: utzoo!linus!decvax!mcnc!duke!rrt
From: rrt@duke.UUCP (Russell R. Tuck)
Newsgroups: net.micro.att
Subject: Re: pc7300 security
Message-ID: <6055@duke.UUCP>
Date: Mon, 5-Aug-85 10:14:59 EDT
Article-I.D.: duke.6055
Posted: Mon Aug  5 10:14:59 1985
Date-Received: Wed, 7-Aug-85 02:33:21 EDT
References: <141@gwsd.UUCP> <316@ttrdc.UUCP>
Reply-To: rrt@duke.UUCP (Russell R. Tuck)
Organization: Duke University
Lines: 37
Summary: 

In article <316@ttrdc.UUCP> kad@ttrdc.UUCP (Keith Drescher) writes:
>You can keep users from accessing UNIX System via the User Agent (ua)
>by editing /usr/lib/ua/Office.  Simply comment out the line with
>UNIX System and the few lines following it (Default = , Open =, etc)
>by placing #'s in front of them.  This keeps anyone from accessing
>UNIX from ua by removing UNIX System from the Office menu.

No, they can put it back into their Office menu by putting a file called
Office in their home directory with the following lines:
	Name=UNIX window
	Default = Run
	Run=EXEC -w $SHELL
All menu items in this file are added to the Office window, replacing any
identically-named items.  (They can get to the shell the first time with
"!sh", as noted in another article.)

>Note: if you so wish, (and I doubt it) you can change whatever option 
>is currently on Open (Open=EXEC -?....  to Open=EXEC -dp ....)
>this opens a UNIX shell with root permissions, # prompt and
>everything.  How's that for lack of security?

It's worse than that!  Any user can do this to their own Office file, with
the same effect.  Thus, the following lines in a user's home directory Office
file will put a root shell menu item in the Office window:
	Name=Root Shell
	Default = Run
	Run=EXEC -pd $SHELL
This is documented on page 6 of the UA(4) manual entry.

I discussed this with someone on the AT&T Support Hotline.  He was unaware of
this particular "feature" (sic) (ie, bug) of the User Agent, but said that the
next release ("in the fourth quarter") is supposed to have much improved
security.  Let's hope so!

			Russ Tuck
			Duke University Computer Science Department
			rrt@duke