Xref: utzoo news.admin:4115 news.sysadmin:1736 comp.mail.uucp:2396
Path: utzoo!dciem!nrcaer!sce!cognos!glee
From: glee@cognos.uucp (Godfrey Lee)
Newsgroups: news.admin,news.sysadmin,comp.mail.uucp
Subject: Re: Dangerous hole in Usenet!
Message-ID: <4697@cognos.UUCP>
Date: 28 Nov 88 19:29:12 GMT
Article-I.D.: cognos.4697
References: <1227@vsi1.UUCP> <1247@vsi1.UUCP>
Reply-To: glee@cognos.UUCP (Godfrey Lee)
Organization: Cognos Inc., Ottawa, Canada
Lines: 64

It is in times of chaos and confusion that everyone on the net has the ethical
responsibilities to assess and communicate the facts and help everyone else
understand and cope with the situation.

I found that most people responded in the above spirit and have been very
helpful. I did take a second look at my system, and tightened up security where
it warranted, without having to turn it into a fortress. I do, however, feel
that although the author below has good intentions, he did not hold up his end
in being thorough in his analysis and did not communicate it in an even tone.

In article <1247@vsi1.UUCP> lmb@vsi1.UUCP (Larry Blair) writes:
>I received about 300 requests; not very many.  A number of the responses
>bounced, 2 of them because AT&T doesn't know about its own machines.

Actually, 300 is a lot. If we have 300 secure sites among the 6000 estimated
sites in usenet, any virus/worm would have difficulty spreading very far.

>A lot of people thought I was wrong to not just post in the first place.

Maybe you are a bit paranoid :-)

Actually, a lot of people have already pointed out that informed people are the
ones best equiped to protect themselves. The virus/worm authors and would be
authors can usually find out how to do it without anyone's help, thank you very
much.

>One thing that bugs the hell out of me: it takes about 30 seconds to create
>a mail alias, but a lot of supposed administrators sent me mail like, "Gee,
>we don't have a 'news' user here."

Don't get bugged, just teach them.

>The hole I have discovered in _many_ systems is the use a script for the
>automatic unsharing of maps.

This is a legitimate concern and should be shared with everyone. I don't agree
with some people that everyone knows this hole. Even people who know this hole
might not have taken steps to guard against it.

>Uuhosts is only slightly more protected.  The mapsh program does a chroot
>to limit any damage to the directory tree containing the unpacked maps.
>All of the commands in the effective /bin allow the creation and overwrite
>of file.  The danger here is that, besides overwriting everything in the
>directory tree including the programs in the /bin, you can run the filesystem
>out of space or out of inodes.  And since mapsh runs as root, out of space
                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>means REALLY out of space.

Not quite true. You should have looked at the source for mapsh. It runs as root
because you need to be root to do a chroot. The manual pages tell you to run
uuhosts as user "news" not "root". The mapsh program does a geteuid to "root",
then a "chroot" call, then a getuid to, if you have set it up according to
instructions, user "news".

>Planting Trojan Horses is also possible.

There you go again, either don't make these statements or at least give some
plausible scenario so people know where to look!

-- 
Godfrey Lee                                            P.O. Box 9707
Cognos Incorporated                                    3755 Riverside Dr.
VOICE:  (613) 738-1338 x3802   FAX: (613) 738-0002     Ottawa, Ontario
UUCP: uunet!mitel!sce!cognos!glee                      CANADA  K1G 3Z4