Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!cornell!batcomputer!itsgw!steinmetz!uunet!ateng!chip
From: chip@ateng.ateng.com (Chip Salzenberg)
Newsgroups: news.admin
Subject: Re: Dangerous hole in Usenet!
Message-ID: <1988Nov27.162018.22115@ateng.ateng.com>
Date: 27 Nov 88 21:20:18 GMT
References: <1227@vsi1.UUCP> <117@hudson.Morgan.COM>
Organization: A T Engineering, Tampa, FL
Lines: 16

According to nagel@paris.ics.uci.edu (Mark Nagel):
>According to chip@ateng (Chip Salzenberg):
>>Er, yes.  Rich Salz's "cshar" package includes a "safe" unshar program in C.
>
>Hmm.  Please point me at this.  I looked through the cshar package [...]
>The shell program runs commands, but is by no mean secure (see man page).
>Which one, then, is secure?

I erred.  Rich's shell isn't secure.

On the other hand, it wouldn't take much to make it safe -- such as, put a
halt to all shell scripts that make references to absolute pathnames.
-- 
Chip Salzenberg              or 
A T Engineering             Me?  Speak for my company?  Surely you jest!
	   Beware of programmers carrying screwdrivers.