What's so special about uudecode?
Ronald S H Khoo
ronald at robobar.co.uk
Mon Dec 31 12:08:16 AEST 1990
[ this really wants to go to alt.security.d, but seeing as it doesn't exist,
I've redirected to alt.security. Sorry folx ]
tronix at polari.UUCP (David Daniel) writes:
> [remainder of security hole explanation deleted]
[ the setuid-to-uucp uudecode one ]
> You should have answered this person via e-mail with a cc to root.
Nope. It's a general interest question that pops up from time to time,
sometimes I give the answer, sometimes I don't. Maybe it should go into
the FAQ. It's hardly new, nor is it hard to find (find / -perm would
have found it straight away, and I can't see any half competent cracker
missing that trick)
Has someone got a summary of the last 30 "you should not have posted
that, Oh yes I should, Oh no you shouldn't" discussions taht we've had
which they can mail to Mr. Daniel ?
> I'm glad I don't have an account on his system.
Why? What can a cracker do with a uucp shell? Get network passwords to
fund his cracking with ? Forge mail (that's easy enough anyway) ?
That's his sysadmin's problem, not yours.
Nothing to crack *your* account with that I know of, unless someone
knows one. Please post. If such a hole exists, I want to plug it.
Ronald, at this point, pretty fed up with all this pettiness...
--
ronald at robobar.co.uk +44 81 991 1142 (O) +44 71 229 7741 (H)
More information about the Comp.unix.questions
mailing list