Xref: utzoo news.admin:4098 news.sysadmin:1710 comp.mail.uucp:2377 Path: utzoo!attcan!lsuc!ecicrl!clewis From: clewis@ecicrl.UUCP (Chris Lewis) Newsgroups: news.admin,news.sysadmin,comp.mail.uucp Subject: Re: Dangerous hole in Usenet! Message-ID: <155@ecicrl.UUCP> Date: 29 Nov 88 03:36:23 GMT References: <1971@van-bc.UUCP> <572@comdesign.CDI.COM> <5517@medusa.cs.purdue.edu> <561@redsox.UUCP> <215@twwells.uucp> Reply-To: clewis@ecicrl.UUCP (Chris Lewis) Organization: Elegant Communications Inc. (CRL Division) Lines: 34 In article <215@twwells.uucp> bill@twwells.UUCP (T. William Wells) writes: >In article <561@redsox.UUCP> campbell@redsox.UUCP (Larry Campbell) writes: >: What's all this about writing gobs of code to decipher some new shar format? >: Why not just chroot(2) to a safe place before feeding the article to sh? > >Because you have to be superuser to chroot. I'm not about to have >chroot(1) be setuid root, so that means writing a special setuid root >program that just chroots so I can then unshar my mail maps. And that >means having One More setuid root program running around on my system. >No thanks. Let me get this straight - you're so afraid of setuid programs that you won't even write your own 4 line C program to chroot and unpack your maps. I take it then that you don't unpack maps. Right? Because it'd be silly to use unprotected unshars if you're afraid of chroots inside programs you've written. Has anybody got a version of uuhosts that is in postable state and (at least vaguely) is up to date? The stuff I've been running predates the Great-Renaming. It would be really nice if a newish version was reposted. Rich? Secondly, can someone out there explain why chroot is privileged? Or why /etc/chroot isn't setuid? It seems pretty darn silly that some mechanism that can only be used for *reducing* access rights requires root permission. If only /etc/chroot allowed anybody to run it, and it carefully made sure that there was a setuid(getuid()) etc before invoking whatever it was going to invoke, the uuhosts unshar would be trivial. -- Chris Lewis, Markham, Ontario, Canada {uunet!attcan,utgpu,yunexus,utzoo}!lsuc!ecicrl!clewis Ferret Mailing list: ...!lsuc!gate!eci386!ferret-request (or lsuc!gate!eci386!clewis or lsuc!clewis)