The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #282 [Re: DANGER: UUCP *can* propogate the Worm] (1 message, 858 bytes)
NOTICE: recognises the rights of all third-party works.


From: Theodore Ts'o <>
To: phage
Date: Sat 01:53:49 19/11/1988 EST
Subject: Re: DANGER: UUCP *can* propogate the Worm
References: [Thread Prev: 275] [Thread Next: 283] [Message Prev: 279] [Message Next: 283]

   Date: Fri, 18 Nov 88 12:06:16 PST
   From: ames!!csg@EA.ECN.PURDUE.EDU (Carl S. Gutekunst)
   Reply-To: ames!!csg@EA.ECN.PURDUE.EDU (Carl S. Gutekunst)

   I admit to being less concerned about what local users could do than
   what an outsider could do. Pipes are obviously useful both to outside
   crackers and to inside tomfoolery, even if it only gives permission
   as user "daemon" and group "other"; that's why I posted the patch to
   remove it in my original posting.

"Only" as user daemon?  Do a quick check of who owns and has write
access to /usr/spool/at.  So if RTM had been clever, his virus could
have cracked root on most machines, and it could have done so many
interesting things.  (I've been looking into how difficult it would be
to append some interesting code to the end of some executable such as
/etc/cron or /etc/fsck, and it doesn't look that hard.) 

I've changed /usr/spool/at to be owned by root and changed atq, atrm,
and at to be setuid root instead of daemon.  This is probably a good
thing to do, since if you can spoof at, it's all over but the shouting.

						- Ted