Xref: utzoo news.admin:4135 news.sysadmin:1760 comp.mail.uucp:2418 Path: utzoo!utgpu!watmath!clyde!att!rutgers!mailrus!uflorida!novavax!proxftl!twwells!bill From: bill@twwells.uucp (T. William Wells) Newsgroups: news.admin,news.sysadmin,comp.mail.uucp Subject: Re: Dangerous hole in Usenet! Message-ID: <228@twwells.uucp> Date: 1 Dec 88 04:49:32 GMT References: <1971@van-bc.UUCP> <572@comdesign.CDI.COM> <5517@medusa.cs.purdue.edu> <561@redsox.UUCP> <215@twwells.uucp> <155@ecicrl.UUCP> Reply-To: bill@twwells.UUCP (T. William Wells) Organization: None, Ft. Lauderdale Lines: 28 In article <155@ecicrl.UUCP> clewis@ecicrl.UUCP (Chris Lewis) writes: : In article <215@twwells.uucp> bill@twwells.UUCP (T. William Wells) writes: : >In article <561@redsox.UUCP> campbell@redsox.UUCP (Larry Campbell) writes: : >: What's all this about writing gobs of code to decipher some new shar format? : >: Why not just chroot(2) to a safe place before feeding the article to sh? : > : >Because you have to be superuser to chroot. I'm not about to have : >chroot(1) be setuid root, so that means writing a special setuid root : >program that just chroots so I can then unshar my mail maps. And that : >means having One More setuid root program running around on my system. : >No thanks. : : Let me get this straight - you're so afraid of setuid programs that : you won't even write your own 4 line C program to chroot and unpack your : maps. Setuid root programs are potential Trojan Horses. That means that reasonable security means keeping a beady eye on each one. I'd rather not have such, if there is a better way. : I take it then that you don't unpack maps. Right? Wrong. As soon as I was notified of my stupidity in using the shell to unpack the maps, I wrote a map unpacker. It now does the work. --- Bill {uunet|novavax}!proxftl!twwells!bill