Xref: utzoo news.admin:4115 news.sysadmin:1736 comp.mail.uucp:2396 Path: utzoo!dciem!nrcaer!sce!cognos!glee From: glee@cognos.uucp (Godfrey Lee) Newsgroups: news.admin,news.sysadmin,comp.mail.uucp Subject: Re: Dangerous hole in Usenet! Message-ID: <4697@cognos.UUCP> Date: 28 Nov 88 19:29:12 GMT Article-I.D.: cognos.4697 References: <1227@vsi1.UUCP> <1247@vsi1.UUCP> Reply-To: glee@cognos.UUCP (Godfrey Lee) Organization: Cognos Inc., Ottawa, Canada Lines: 64 It is in times of chaos and confusion that everyone on the net has the ethical responsibilities to assess and communicate the facts and help everyone else understand and cope with the situation. I found that most people responded in the above spirit and have been very helpful. I did take a second look at my system, and tightened up security where it warranted, without having to turn it into a fortress. I do, however, feel that although the author below has good intentions, he did not hold up his end in being thorough in his analysis and did not communicate it in an even tone. In article <1247@vsi1.UUCP> lmb@vsi1.UUCP (Larry Blair) writes: >I received about 300 requests; not very many. A number of the responses >bounced, 2 of them because AT&T doesn't know about its own machines. Actually, 300 is a lot. If we have 300 secure sites among the 6000 estimated sites in usenet, any virus/worm would have difficulty spreading very far. >A lot of people thought I was wrong to not just post in the first place. Maybe you are a bit paranoid :-) Actually, a lot of people have already pointed out that informed people are the ones best equiped to protect themselves. The virus/worm authors and would be authors can usually find out how to do it without anyone's help, thank you very much. >One thing that bugs the hell out of me: it takes about 30 seconds to create >a mail alias, but a lot of supposed administrators sent me mail like, "Gee, >we don't have a 'news' user here." Don't get bugged, just teach them. >The hole I have discovered in _many_ systems is the use a script for the >automatic unsharing of maps. This is a legitimate concern and should be shared with everyone. I don't agree with some people that everyone knows this hole. Even people who know this hole might not have taken steps to guard against it. >Uuhosts is only slightly more protected. The mapsh program does a chroot >to limit any damage to the directory tree containing the unpacked maps. >All of the commands in the effective /bin allow the creation and overwrite >of file. The danger here is that, besides overwriting everything in the >directory tree including the programs in the /bin, you can run the filesystem >out of space or out of inodes. And since mapsh runs as root, out of space ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >means REALLY out of space. Not quite true. You should have looked at the source for mapsh. It runs as root because you need to be root to do a chroot. The manual pages tell you to run uuhosts as user "news" not "root". The mapsh program does a geteuid to "root", then a "chroot" call, then a getuid to, if you have set it up according to instructions, user "news". >Planting Trojan Horses is also possible. There you go again, either don't make these statements or at least give some plausible scenario so people know where to look! -- Godfrey Lee P.O. Box 9707 Cognos Incorporated 3755 Riverside Dr. VOICE: (613) 738-1338 x3802 FAX: (613) 738-0002 Ottawa, Ontario UUCP: uunet!mitel!sce!cognos!glee CANADA K1G 3Z4