What's so special about uudecode?
Ronald S H Khoo
ronald at robobar.co.uk
Sun Dec 30 01:20:17 AEST 1990
krieg at titan.med.ge.com (Andrew Krieg) writes:
> uudecode has some special characteristics at my site.
> If you try to run it, say in your home directory, you
> get the error:
>
> filename: Permission denied
Ha! I think your vendor has made the *dreadful* error of making
uudecode setuid to uucp "for the convenience of decoding received uucp
files". I have seen systems where this is a horrible security hole in
that uudecode will allow anyone to make a setuid-to-uucp shell (begin 4755
sh) and so gain access to L.sys and the passwords therein (especially
nasty if L.sys contains passwords to expensive PDN network gateways).
I would encourage you to tell your system administrator to remove the
setuid bit on uudecode (chmod ug-s /usr/bin/uudecode) and shout at your
vendor. It's this sort of thing that gives UNIX system security a bad
name.
--
ronald at robobar.co.uk +44 81 991 1142 (O) +44 71 229 7741 (H)
More information about the Comp.unix.questions
mailing list