Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.2 9/17/84; site milo.UUCP Path: utzoo!watmath!clyde!burl!ulysses!ucbvax!decvax!cwruecmp!milo!acy From: acy@milo.UUCP (Adnan Yaqub) Newsgroups: net.micro.att Subject: Re: pc7300 security Message-ID: <623@milo.UUCP> Date: Tue, 20-Aug-85 14:45:55 EDT Article-I.D.: milo.623 Posted: Tue Aug 20 14:45:55 1985 Date-Received: Sat, 24-Aug-85 03:17:11 EDT References: <141@gwsd.UUCP> <316@ttrdc.UUCP> <6055@duke.UUCP> Organization: Allen-Bradley Co., Highland Heights, OH 44143 Lines: 21 > >Note: if you so wish, (and I doubt it) you can change whatever option > >is currently on Open (Open=EXEC -?.... to Open=EXEC -dp ....) > >this opens a UNIX shell with root permissions, # prompt and > >everything. How's that for lack of security? > > It's worse than that! Any user can do this to their own Office file, with > the same effect. Thus, the following lines in a user's home directory Office > file will put a root shell menu item in the Office window: > Name=Root Shell > Default = Run > Run=EXEC -pd $SHELL > This is documented on page 6 of the UA(4) manual entry. I think it is possible to overcome some of the security problems by removing the set user id bit on $UA/uasetx and $UA/uasig. It seems to protect things nicely. The user agent does not handle the protection errors very well but it doesn't seem to do anything too bad and besides, if you don't have the necessary privileges then you shouldn't be trying it, right? Thanks Clive.