Xref: utzoo news.admin:4097 news.sysadmin:1709 comp.mail.uucp:2376 Path: utzoo!attcan!lsuc!ecicrl!clewis From: clewis@ecicrl.UUCP (Chris Lewis) Newsgroups: news.admin,news.sysadmin,comp.mail.uucp Subject: Re: Dangerous hole in Usenet! Keywords: "it's a secret ... but they told me!" -- david dobkin Message-ID: <154@ecicrl.UUCP> Date: 29 Nov 88 03:22:39 GMT References: <1227@vsi1.UUCP> <117@hudson.Morgan.COM> <800@mailrus.cc.umich.edu> <151@ecicrl.UUCP> <11048@bigtex.cactus.org> Reply-To: clewis@ecicrl.UUCP (Chris Lewis) Organization: Elegant Communications Inc. (CRL Division) Lines: 44 In article <11048@bigtex.cactus.org> james@bigtex.cactus.org (James Van Artsdalen) writes: >> You know, maybe we should try to invent a new "mailable" archive format >> that isn't compatible with /bin/sh so that people are *never* tempted into >> the trap of using sed..|sh or insecure unshars. >Wonderful. What a great idea. Doesn't it seem odd that your goal is >to create an archive layout that nobody can unpack? Huh? > How do you ever >expect people to unpack this stuff? Are *you* going to ensure that >everyone gets a copy of your unpacker, and that vendors all distribute >it? Moi? Did *I* volunteer? ;-) No, I'm not suggesting that that some great-big all-singing all-dancing archiver be built. That you need half an Eagle to recompile... How about something simple, the file format for maps consists of: MAP.... ENDMAP Which can be parsed by two lines of sed. Which can be posted as part of the "README" for maps. >John Quaterman's uuhosts package works. It is secure in the sense >that a worm or virus cannot propogate (a worm could consume CPU cycles >or disk space, but that's about it). Use it. I do. >If anyone has a way of >breaking chroot(2), I'd like to hear about it... Send me mail from your root id and I'll tell you about it. -- Chris Lewis, Markham, Ontario, Canada {uunet!attcan,utgpu,yunexus,utzoo}!lsuc!ecicrl!clewis Ferret Mailing list: ...!lsuc!gate!eci386!ferret-request (or lsuc!gate!eci386!clewis or lsuc!clewis)