Date: 11 May 86 22:11:53 MST (Sun) Subject: Security Mailing List, # 22 ---------------------------------------------------------------------------- Editor's corner Well, hello, its been a long time. I'm excruciatingly sorry to have been so long to get another issue of this list out; the travails would have left both Odysseus and Aeneus in shame. But enough of the soft violins. Concerning back issues - that's the next problem. I'll announce when and where they'll be available. Please don't request them until I announce it. I would appreciate it if every addressee would please return to me an acknowledgement to this issue or the one I'll be sending next weekend. I intend to purge my list of everyone who has not answered in two weeks. Those of you on the list know the trouble you went through to get on the list. I now have an active list of about 250 addressees, including several generic aliases at various places. I would like to make it a common rule that everyone on the list be addressed through an alias, like "security@harvard" or some such; I think it will 1) add a little security to the distribution, and 2) cut down the size of the list that I mail to. I have a backlog of some 120 requests to join the mailing list. I'll be filtering through these in the next two weeks. I have one article to spice up this issue. If you have anything to report, or sent me an article that got lost (I had four at one time, but they disappeared over Christmas), please send it to me at the addresses at this article's end. Lyle ---------------------------------------------------------------------------- Date: Sat, 19 Apr 86 14:26:33 PST From: onecom!ihnp4!hoptoad!gnu (John Gilmore) Subject: Sun-3 tftp daemon is required on servers but insecure Release: Sun Unix 3.0 FCS Customer: John Gilmore Nebula Consultants 1805 Golden Gate Ave. San Francisco, CA 94115 +1 415 931 4667 voice sun!hoptoad!gnu data Description: The tftp daemon allows anyone on the internetwork to read any publicly readable file (e.g. /etc/passwd) on the system. In earlier systems it was possible to turn off this daemon and avoid the bug. In 3.0, the bug has not been fixed, and tftp has been made required for servers, since it is used to boot clients. Repeat-By: % tftp host > get /etc/passwd /tmp/pw > get /etc/hosts.equiv /tmp/he > get /.rhosts /tmp/rh > q % examine them, run password breaking programs, break in. Fix: Fix the tftp daemon to provide the same level of security as the ftp daemon (eg. do a "chroot" to a private directory). ---------------------------------------------------------------------------- The UNIX security issues mail list Ignore the headers on this list and mail to: ...denelcor!security (mail for the list). ...denelcor!sec-request (administrativia).