The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #287 [DANGER: UUCP *can* propogate the Worm] (1 message, 820 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/287.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: Barry Shein <encore!pinocchio!bzs@talcott.harvard.edu>
To: phage
Date: Sun 10:05:13 20/11/1988 EST
Subject: DANGER: UUCP *can* propogate the Worm
References: [Thread Prev: 283] [Thread Next: 285] [Message Prev: 291] [Message Next: 288]


There's nothing inherently wrong in using multiple uid's (your summary
seemed complete enough) for various sub-systems. I would guess that
many people, including myself, have used that kind of thing. A lot of
the games wanted special access to their scores file thru setuid
execution so we used the pseudo-user falcon (maybe that's spelled
wrong, as in war games) to own the scores files rather than root or
whatever they recommended.

On the other hand I think we have to be cautious about fooling
ourselves. People are proposing all sorts of prophylactic security
mechanisms (this one, shadow passwds etc) which I believe is a bad
thing to stress in general. It seems to be the management of
insecurity rather than any attempt to create security. Have we really
given up and just decided to limit the damage? Sounds like a bad idea.
Also an infinite pit into which we will regret having slipped.

	-Barry Shein, ||Encore||

END OF DOCUMENT